Snort mailing list archives
Re: Receiving alerts for a disabled rule
From: waldo kitty <wkitty42 () windstream net>
Date: Fri, 28 Feb 2014 16:14:16 -0500
On 2/28/2014 8:15 AM, Anshuman Anil Deshmukh wrote:
Hi Joel, The rule is disabled. I even restarted the snort machine but still alerts for this rule are getting generated. Please help.
is your snort configured to actually use and follow those textual rule files for en/disabling those GID 3 rules? there are similar for the other generators and they are ignored unless snort is specifically configured to use them...
Here is the actual rule- # alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"DOS generic web server hashing collision attack"; sid:20825; gid:3; rev:8; classtype:attempted-dos; reference:cve,2011-3414; reference:url,events.ccc.de/congress/2011/Fahrplan/events/4680.en.html; reference:url,technet.microsoft.com/en-us/security/advisory/2659883; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-100; reference:cve,2012-0830; reference:cve,2010-1899; reference:cve,2011-5037; metadata: engine shared, soid 3|20825, service http;)
-- NOTE: No off-list assistance is given without prior approval. Please keep mailing list traffic on the list unless private contact is specifically requested and granted. ------------------------------------------------------------------------------ Flow-based real-time traffic analytics software. Cisco certified tool. Monitor traffic, SLAs, QoS, Medianet, WAAS etc. with NetFlow Analyzer Customize your own dashboards, set traffic alerts and generate reports. Network behavioral analysis & security monitoring. All-in-one tool. http://pubads.g.doubleclick.net/gampad/clk?id=126839071&iu=/4140/ostg.clktrk _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Receiving alerts for a disabled rule Anshuman Anil Deshmukh (Feb 20)
- Re: Receiving alerts for a disabled rule Joel Esler (jesler) (Feb 20)
- Re: Receiving alerts for a disabled rule SnortFan (Feb 20)
- Re: Receiving alerts for a disabled rule Anshuman Anil Deshmukh (Feb 28)
- Re: Receiving alerts for a disabled rule SnortFan (Feb 28)
- Re: Receiving alerts for a disabled rule Anshuman Anil Deshmukh (Mar 08)
- Re: Receiving alerts for a disabled rule waldo kitty (Feb 28)
- Re: Receiving alerts for a disabled rule Joel Esler (jesler) (Feb 20)