Re: problem tuning out one particular rule

[JJC <cummingsj () gmail com>]

As a quick note, Jason responded off-list stating that the srs/dst switch
was likely the culprit.. the simple way that I determined this was based on
the "directionality" of the rule.

rule snip: alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any

As you can see, this is looking for a response and is TO the $HOME_NET... if
you don't understand, try harder ;-)

JJC

On Wed, Mar 30, 2011 at 10:23 AM, JJC <cummingsj () gmail com> wrote:

> Speaking from the perspective of PulledPork, that rule is re-enabled
> because it sets a flowbit that other rules (that are enabled) rely on.  As
> to the suppression, are you sure that the source is 10.0.0.0/8 and that
> it's not the dest?
>
> JJC
>
> On Wed, Mar 30, 2011 at 9:50 AM, Youngquist, Jason R. <
> jryoungquist () ccis edu> wrote:
>
> >    So I’ve been doing some Snort tuning over the last couple weeks.  I’m
> > using Snort 2.9.0.4, Barnyard2, and PulledPork 0.5.  There’s this one event
> > signature “WEB-CLIENT Portable Executable binary file transfer” (sid: 15306)
> > and I’ve been trying to tune it out, but it still keeps on firing.
> >
> >
> >
> > I have it in the disablesid.conf
> >
> > # WEB-CLIENT Portable Executable binary file transfer
> >
> > 1:15306
> >
> >
> >
> > I also put it in the threshold.conf as well
> >
> > # ignore these WEB-CLIENT Portable Executable binary file transfer
> >
> > suppress gen_id 1, sig_id 15306, track by_src, ip 10.0.0.0/8
> >
> >
> >
> > Yet, the rule keeps firing.  All of the other rules I’ve ignored using the
> > methods above have worked, so not sure what’s different about this
> > particular rule.
> >
> >
> >
> > Thoughts?
> >
> >
> >
> > Thanks.
> >
> > Jason Youngquist
> >
> > Information Technology Security Engineer
> >
> > Technology Services
> >
> > Columbia College
> >
> > 1001 Rogers Street, Columbia, MO  65216
> >
> > (573) 875-7334
> >
> > jryoungquist () ccis edu
> >
> > http://www.ccis.edu
> >
> >
> >
> >
> >
> >
> > ------------------------------------------------------------------------------
> > Create and publish websites with WebMatrix
> > Use the most popular FREE web apps or write code yourself;
> > WebMatrix provides all the features you need to develop and
> > publish your website. http://p.sf.net/sfu/ms-webmatrix-sf
> >
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users () lists sourceforge net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------------------------------
Create and publish websites with WebMatrix
Use the most popular FREE web apps or write code yourself; 
WebMatrix provides all the features you need to develop and 
publish your website. http://p.sf.net/sfu/ms-webmatrix-sf

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users