Snort mailing list archives

PulledPork and modifying So_rule stubs


From: Dheeraj Gupta <dheeraj.gupta4 () gmail com>
Date: Thu, 23 Jun 2011 11:21:14 +0530

Hi,
I have been using pulledpork for Snort rule management and it is very good.
Recently I noticed that snort rule 3-10481 (Squid NTLM Exploit Rule) is
defined only for port 3128.
But, here we have proxies running on many different ports, so I decided to
change the rule from $external_net 3128 to $external_net [3128,xxxx,yyyy].
However, the modifysid.conf file explicitly stated that any changes will
only occur to gid:1 files and not gid:3 stubs(Since they are inconsequential
or such stuff). I tried making an entry in modifysid.conf for said rule, but
it didn't fire. So, I manually changed the rule line and restarted snort.
Earlier the Squid NTLM exploit when fired from Metasploit on port xxxx was
not detected. But now, since I had modified the so_rule stub to include xxxx
in the port part, it was detected.
So, my question is why doesn't pulledpork modify stubs of rules with gid:3
(atleast parts such as home_net external_net, source,dest ports etc) when
clearly such changes reflect in snort's behaviour

Regards,
Dheeraj

-- 
To iterate is human.To recurse, divine!
------------------------------------------------------------------------------
Simplify data backup and recovery for your virtual environment with vRanger.
Installation's a snap, and flexible recovery options mean your data is safe,
secure and there when you need it. Data protection magic?
Nope - It's vRanger. Get your free trial download today.
http://p.sf.net/sfu/quest-sfdev2dev
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please see http://www.snort.org/docs for documentation

Current thread: