Snort mailing list archives
Re: Disabled rule still alerting
From: "Tony Reusser" <treusser () filertel com>
Date: Wed, 29 Aug 2012 12:54:24 -0600
How do you suppress it? It is a shared-object dynamic rule that does not have a gen-id/sig-id in gen-msg.map. I’m following the recommended procedure by putting it in the ‘disablesid.conf’ file when running pulledpork. I even tried the ‘-E’ option so only enabled rules get written to the outfile (so the rule doesn’t even exist anymore) and I STILL get the alerts!!! From: mlarchuleta () gmail com [mailto:mlarchuleta () gmail com] Sent: Wednesday, August 29, 2012 12:45 PM To: Tony Reusser Subject: Re: [Snort-sigs] Disabled rule still alerting Suppress the rule, don't comment it out. Sent from my iPhone On Aug 29, 2012, at 12:15 PM, "Tony Reusser" <treusser () filertel com> wrote: I’ve recently installed the latest 2.9.3.0 VRT ruleset along with the latest ET rules (as of 8/27) I’m getting TONS of hits for the following: 3:21355 (BAD-TRAFFIC potential dns cache poisoning attempt - mismatched txid) Here is my disablesid.conf: # BAD-TRAFFIC MS10-024,cve:2010-1690,3:21355,3:19187 # GPL ICMP_INFO 1:2100368,1:2100366 # SMTP 1:2000328 # DNS 1:2003195 Here is an excerpt from my ‘snort.rules’ showing it is indeed commented-out: # alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"BAD-TRAFFIC potential dns cache poisoning attempt - mismatched txid"; sid:21355; gid:3; rev:2; classtype:attempted-recon; reference:cve,2010-1690; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-024; metadata: engine shared, soid 3|21355;) Yet, I continue to get thousands of alerts. Can anybody help me figure out how to turn these off? Thanks Tony ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Disabled rule still alerting Tony Reusser (Aug 29)
- Message not available
- Re: Disabled rule still alerting Tony Reusser (Aug 29)
- Re: Disabled rule still alerting - UPDATE - FIXED ! Tony Reusser (Aug 29)
- Re: Disabled rule still alerting - UPDATE - FIXED ! Joel Esler (Aug 29)
- Re: Disabled rule still alerting Tony Reusser (Aug 29)
- Message not available
- Message not available
- Re: Disabled rule still alerting Tony Reusser (Aug 29)
- Re: Disabled rule still alerting Joel Esler (Aug 29)
- Re: Disabled rule still alerting Tony Reusser (Aug 29)