Re: Disabled rule still alerting

[Joel Esler <jesler () sourcefire com>]

gen_id 3, sig_id 21355

should suppress it.

On Aug 29, 2012, at 2:54 PM, Tony Reusser <treusser () filertel com> wrote:

> How do you suppress it?
>  
> It is a shared-object dynamic rule that does not have a gen-id/sig-id in gen-msg.map.
>  
> I’m following the recommended procedure by putting it in the ‘disablesid.conf’ file when running pulledpork.  I even 
> tried the ‘-E’ option so only enabled rules get written to the outfile (so the rule doesn’t even exist anymore) and I 
> STILL get the alerts!!!
>  
> From: mlarchuleta () gmail com [mailto:mlarchuleta () gmail com] 
> Sent: Wednesday, August 29, 2012 12:45 PM
> To: Tony Reusser
> Subject: Re: [Snort-sigs] Disabled rule still alerting
>  
> Suppress the rule, don't comment it out.
>
> Sent from my iPhone
>
> On Aug 29, 2012, at 12:15 PM, "Tony Reusser" <treusser () filertel com> wrote:
>
> I’ve recently installed the latest 2.9.3.0 VRT ruleset along with the latest ET rules (as of 8/27)
>  
> I’m getting TONS of hits for the following:
>  
> 3:21355 (BAD-TRAFFIC potential dns cache poisoning attempt - mismatched txid)
>  
> Here is my disablesid.conf:
>  
> # BAD-TRAFFIC
> MS10-024,cve:2010-1690,3:21355,3:19187
>  
> # GPL ICMP_INFO
> 1:2100368,1:2100366
>  
> # SMTP
> 1:2000328
>  
> # DNS
> 1:2003195
>  
> Here is an excerpt from my ‘snort.rules’ showing it is indeed commented-out:
>  
> # alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"BAD-TRAFFIC potential dns cache poisoning attempt - mismatched 
> txid"; sid:21355; gid:3; rev:2; classtype:attempted-recon; reference:cve,2010-1690; 
> reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-024; metadata: engine shared, soid 3|21355;)
>  
> Yet, I continue to get thousands of alerts.  Can anybody help me figure out how to turn these off?
>  
> Thanks
>  
> Tony
>  
> ------------------------------------------------------------------------------
> Live Security Virtual Conference
> Exclusive live event will cover all the ways today's security and 
> threat landscape has changed and how IT managers can respond. Discussions 
> will include endpoint security, mobile security and the latest in malware 
> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs () lists sourceforge net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> http://www.snort.org
>
>
> Please visit http://blog.snort.org for the latest news about Snort!
> ------------------------------------------------------------------------------
> Live Security Virtual Conference
> Exclusive live event will cover all the ways today's security and 
> threat landscape has changed and how IT managers can respond. Discussions 
> will include endpoint security, mobile security and the latest in malware 
> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/_______________________________________________
> Snort-sigs mailing list
> Snort-sigs () lists sourceforge net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> http://www.snort.org
>
>
> Please visit http://blog.snort.org for the latest news about Snort!

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!