Snort mailing list archives

Re: Receiving alerts for a disabled rule

From: waldo kitty <wkitty42 () windstream net>
Date: Fri, 28 Feb 2014 16:14:16 -0500

On 2/28/2014 8:15 AM, Anshuman Anil Deshmukh wrote:

Hi Joel,

The rule is disabled. I even restarted the snort machine but still alerts for
this rule are getting generated. Please help.


is your snort configured to actually use and follow those textual rule files for 
en/disabling those GID 3 rules? there are similar for the other generators and 
they are ignored unless snort is specifically configured to use them...

Here is the actual rule-

# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"DOS generic web
server hashing collision attack"; sid:20825; gid:3; rev:8;
classtype:attempted-dos; reference:cve,2011-3414;
reference:url,events.ccc.de/congress/2011/Fahrplan/events/4680.en.html;
reference:url,technet.microsoft.com/en-us/security/advisory/2659883;
reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-100;
reference:cve,2012-0830; reference:cve,2010-1899; reference:cve,2011-5037;
metadata: engine shared, soid 3|20825, service http;)




-- 
NOTE: No off-list assistance is given without prior approval.
       Please keep mailing list traffic on the list unless
       private contact is specifically requested and granted.

------------------------------------------------------------------------------
Flow-based real-time traffic analytics software. Cisco certified tool.
Monitor traffic, SLAs, QoS, Medianet, WAAS etc. with NetFlow Analyzer
Customize your own dashboards, set traffic alerts and generate reports.
Network behavioral analysis & security monitoring. All-in-one tool.
http://pubads.g.doubleclick.net/gampad/clk?id=126839071&iu=/4140/ostg.clktrk
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Current thread:

Receiving alerts for a disabled rule Anshuman Anil Deshmukh (Feb 20)
- Re: Receiving alerts for a disabled rule Joel Esler (jesler) (Feb 20)
  - Re: Receiving alerts for a disabled rule SnortFan (Feb 20)
  - Re: Receiving alerts for a disabled rule Anshuman Anil Deshmukh (Feb 28)
    - Re: Receiving alerts for a disabled rule SnortFan (Feb 28)
    - Re: Receiving alerts for a disabled rule Anshuman Anil Deshmukh (Mar 08)
    - Re: Receiving alerts for a disabled rule waldo kitty (Feb 28)