Snort mailing list archives
Re: PulledPork and modifying So_rule stubs
From: JJC <cummingsj () gmail com>
Date: Thu, 23 Jun 2011 09:12:51 -0600
I think that this would be a valid use-case to allow gid:3 rules to be modified, consider it a feature request that we will work into the tool. JJC On Wed, Jun 22, 2011 at 11:51 PM, Dheeraj Gupta <dheeraj.gupta4 () gmail com>wrote:
Hi, I have been using pulledpork for Snort rule management and it is very good. Recently I noticed that snort rule 3-10481 (Squid NTLM Exploit Rule) is defined only for port 3128. But, here we have proxies running on many different ports, so I decided to change the rule from $external_net 3128 to $external_net [3128,xxxx,yyyy]. However, the modifysid.conf file explicitly stated that any changes will only occur to gid:1 files and not gid:3 stubs(Since they are inconsequential or such stuff). I tried making an entry in modifysid.conf for said rule, but it didn't fire. So, I manually changed the rule line and restarted snort. Earlier the Squid NTLM exploit when fired from Metasploit on port xxxx was not detected. But now, since I had modified the so_rule stub to include xxxx in the port part, it was detected. So, my question is why doesn't pulledpork modify stubs of rules with gid:3 (atleast parts such as home_net external_net, source,dest ports etc) when clearly such changes reflect in snort's behaviour Regards, Dheeraj -- To iterate is human.To recurse, divine! ------------------------------------------------------------------------------ Simplify data backup and recovery for your virtual environment with vRanger. Installation's a snap, and flexible recovery options mean your data is safe, secure and there when you need it. Data protection magic? Nope - It's vRanger. Get your free trial download today. http://p.sf.net/sfu/quest-sfdev2dev _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please see http://www.snort.org/docs for documentation
------------------------------------------------------------------------------ Simplify data backup and recovery for your virtual environment with vRanger. Installation's a snap, and flexible recovery options mean your data is safe, secure and there when you need it. Data protection magic? Nope - It's vRanger. Get your free trial download today. http://p.sf.net/sfu/quest-sfdev2dev
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please see http://www.snort.org/docs for documentation
Current thread:
- PulledPork and modifying So_rule stubs Dheeraj Gupta (Jun 22)
- Re: PulledPork and modifying So_rule stubs JJC (Jun 23)
- Re: PulledPork and modifying So_rule stubs Michael Lubinski (Jun 23)
- Re: PulledPork and modifying So_rule stubs JJC (Jun 23)