Snort mailing list archives
Re: Disabled rule still alerting - UPDATE - FIXED !
From: Joel Esler <jesler () sourcefire com>
Date: Wed, 29 Aug 2012 15:43:13 -0400
I try not to link anything when it comes to rules and stuff. Absolute paths ftw. On Aug 29, 2012, at 3:32 PM, "Tony Reusser" <treusser () filertel com> wrote:
UPDATE--- I think I fixed it. I created a symbolic link to my OLD so_rules directory before I installed pulledpork. I deleted the link and created a new one to the pulledpork-created stub file directory, but I used the same name for the link. Apparently some weird stuff can happen when you start messing around with file links. I re-created the link using a different name and that seems to have fixed the problem. It seems I did indeed have a duplicate set of rules that wasn’t intended. Thanks for the input. It helped me look in the right direction. *still a linux n00b* From: Tony Reusser [mailto:treusser () filertel com] Sent: Wednesday, August 29, 2012 12:40 PM To: snort-sigs () lists sourceforge net Subject: Re: [Snort-sigs] Disabled rule still alerting Yes, Snort and barnyard2 restarted (NOT SIGHUP’d) I even rebooted the box just to make sure. Pulledpork used to create my two “uber-rules” files: /etc/rules/snort.rules /etc/so_rules/so_rules.rules Snort.conf modified to include these ONLY. No duplicate rules. I double and triple checked! It looks like the alert is triggering on ALL of my legitimate DNS traffic. This is getting very annoying! Thinking about going back to basic configuration (VRT rules only) until a new ruleset is available. I’m only a ‘registered’ user, so I’m running on 30-day-old rules anyway. From: Vladimir Gajić [mailto:vladogajic () gmail com] Sent: Wednesday, August 29, 2012 12:25 PM To: Tony Reusser Subject: Re: [Snort-sigs] Disabled rule still alerting I don't know how experienced you are, so I'll give it a try with this silly idea: Did you restart snort, to force it to reload signatures? Or, if you played with that rule earlier, is it possible that you copied it to another file, so you have it doubled? Greetings, Vladimir 2012/8/29 Tony Reusser <treusser () filertel com> I’ve recently installed the latest 2.9.3.0 VRT ruleset along with the latest ET rules (as of 8/27) I’m getting TONS of hits for the following: 3:21355 (BAD-TRAFFIC potential dns cache poisoning attempt - mismatched txid) Here is my disablesid.conf: # BAD-TRAFFIC MS10-024,cve:2010-1690,3:21355,3:19187 # GPL ICMP_INFO 1:2100368,1:2100366 # SMTP 1:2000328 # DNS 1:2003195 Here is an excerpt from my ‘snort.rules’ showing it is indeed commented-out: # alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"BAD-TRAFFIC potential dns cache poisoning attempt - mismatched txid"; sid:21355; gid:3; rev:2; classtype:attempted-recon; reference:cve,2010-1690; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-024; metadata: engine shared, soid 3|21355;) Yet, I continue to get thousands of alerts. Can anybody help me figure out how to turn these off? Thanks Tony ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort! ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Disabled rule still alerting Tony Reusser (Aug 29)
- Message not available
- Re: Disabled rule still alerting Tony Reusser (Aug 29)
- Re: Disabled rule still alerting - UPDATE - FIXED ! Tony Reusser (Aug 29)
- Re: Disabled rule still alerting - UPDATE - FIXED ! Joel Esler (Aug 29)
- Re: Disabled rule still alerting Tony Reusser (Aug 29)
- Message not available
- Message not available
- Re: Disabled rule still alerting Tony Reusser (Aug 29)
- Re: Disabled rule still alerting Joel Esler (Aug 29)
- Re: Disabled rule still alerting Tony Reusser (Aug 29)