Re: Disabled rule still alerting - UPDATE - FIXED !

[Joel Esler <jesler () sourcefire com>]

I try not to link anything when it comes to rules and stuff.  Absolute paths ftw.

On Aug 29, 2012, at 3:32 PM, "Tony Reusser" <treusser () filertel com> wrote:

> UPDATE---
>  
> I think I fixed it.
>  
> I created a symbolic link to my OLD so_rules directory before I installed pulledpork.  I deleted the link and created 
> a new one to the pulledpork-created stub file directory, but I used the same name for the link.  Apparently some 
> weird stuff can happen when you start messing around with file links.  I re-created the link using a different name 
> and that seems to have fixed the problem.  It seems I did indeed have a duplicate set of rules that wasn’t intended.
>  
> Thanks for the input.  It helped me look in the right direction.
>  
> *still a linux n00b*
>  
> From: Tony Reusser [mailto:treusser () filertel com] 
> Sent: Wednesday, August 29, 2012 12:40 PM
> To: snort-sigs () lists sourceforge net
> Subject: Re: [Snort-sigs] Disabled rule still alerting
>  
> Yes,
>  
> Snort and barnyard2 restarted (NOT SIGHUP’d)
> I even rebooted the box just to make sure.
>  
> Pulledpork used to create my two “uber-rules” files:
>  
> /etc/rules/snort.rules
> /etc/so_rules/so_rules.rules
>  
> Snort.conf modified to include these ONLY.
>  
> No duplicate rules.  I double and triple checked!
>  
> It looks like the alert is triggering on ALL of my legitimate DNS traffic.  This is getting very annoying!  Thinking 
> about going back to basic configuration (VRT rules only) until a new ruleset is available.  I’m only a ‘registered’ 
> user, so I’m running on 30-day-old rules anyway.
>  
> From: Vladimir Gajić [mailto:vladogajic () gmail com] 
> Sent: Wednesday, August 29, 2012 12:25 PM
> To: Tony Reusser
> Subject: Re: [Snort-sigs] Disabled rule still alerting
>  
> I don't know how experienced you are, so I'll give it a try with this silly idea:
>
> Did you restart snort, to force it to reload signatures?
> Or, if you played with that rule earlier, is it possible that you copied it to another file, so you have it doubled?
>
> Greetings,
> Vladimir
>
> 2012/8/29 Tony Reusser <treusser () filertel com>
> I’ve recently installed the latest 2.9.3.0 VRT ruleset along with the latest ET rules (as of 8/27)
>  
> I’m getting TONS of hits for the following:
>  
> 3:21355 (BAD-TRAFFIC potential dns cache poisoning attempt - mismatched txid)
>  
> Here is my disablesid.conf:
>  
> # BAD-TRAFFIC
> MS10-024,cve:2010-1690,3:21355,3:19187
>  
> # GPL ICMP_INFO
> 1:2100368,1:2100366
>  
> # SMTP
> 1:2000328
>  
> # DNS
> 1:2003195
>  
> Here is an excerpt from my ‘snort.rules’ showing it is indeed commented-out:
>  
> # alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"BAD-TRAFFIC potential dns cache poisoning attempt - mismatched 
> txid"; sid:21355; gid:3; rev:2; classtype:attempted-recon; reference:cve,2010-1690; 
> reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-024; metadata: engine shared, soid 3|21355;)
>  
> Yet, I continue to get thousands of alerts.  Can anybody help me figure out how to turn these off?
>  
> Thanks
>  
> Tony
>  
>
> ------------------------------------------------------------------------------
> Live Security Virtual Conference
> Exclusive live event will cover all the ways today's security and
> threat landscape has changed and how IT managers can respond. Discussions
> will include endpoint security, mobile security and the latest in malware
> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs () lists sourceforge net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> http://www.snort.org
>
>
> Please visit http://blog.snort.org for the latest news about Snort!
>  
> ------------------------------------------------------------------------------
> Live Security Virtual Conference
> Exclusive live event will cover all the ways today's security and 
> threat landscape has changed and how IT managers can respond. Discussions 
> will include endpoint security, mobile security and the latest in malware 
> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/_______________________________________________
> Snort-sigs mailing list
> Snort-sigs () lists sourceforge net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> http://www.snort.org
>
>
> Please visit http://blog.snort.org for the latest news about Snort!

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!