Snort mailing list archives
Re: Pulledpork doesn't disable some rules
From: Y M <snort () outlook com>
Date: Mon, 14 Apr 2014 15:20:21 +0000
I only want to remove rule 2011582, not the others. If I am understanding ok, If I put the following in my modifysid.conf: 2011582 "flowbits:set,ET.http.javaclient.vulnerable;" "" I disable all these rules ... is it ok??
Since you specified the sid for PulledPork, it should only modify that particular signature. YM
Date: Mon, 14 Apr 2014 13:40:51 +0000 From: carlopmart () gmail com To: snort-users () lists sourceforge net Subject: Re: [Snort-users] Pulledpork doesn't disable some rules On Mon, Apr 14, 2014 at 1:28 PM, Y M <snort () outlook com> wrote:Ok, I have applied the following solution posted in https://code.google.com/p/pulledpork/issues/detail?id=82, using modifysid option without luck.This depends on how you are modifying the rule in the modifysid.conf file, and if there are other rules that check if this particular flowbit is set. For example: Rule A --> sets --> flowbit 1 Rule B --> checks (isset/isnotset) --> flowbit 1 In this case, if you disable Rule A, PulledPork will re-enable it since another rule (Rule B) is checking the same flowbit (flowbit 1). The order in which PulledPork will process the rules (modifysid.conf first) is already committed to PulledPork v0.7. Which means that if modify (pcre or so as documented) your rule in the modifysid.conf file by removing the flowbits setting, it will be processed first, hence, the dependency should be removed already before moving along.Thanks, YM. Uhmm, I see but then I have a problem. In the EmergingThreats package rules exists the following rules with the same flowbit: alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Vulnerable Java Version 1.4.x Detected"; flow:established,to_server; content:"Java/1.4."; http_user_agent; flowbits:set,ET.http.javaclient.vulnerable; threshold: type limit, count 2, seconds 300, track by_src; reference:url,javatester.org/version.html; classtype:bad-unknown; sid:2011584; rev:11;) # alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Vulnerable Java Version 1.5.x Detected"; flow:established,to_server; content:" Java/1.5."; nocase; http_header; flowbits:set,ET.http.javaclient.vulnerable; threshold: type limit, count 2, seconds 300, track by_src; reference:url,javatester.org/version.html; classtype:bad-unknown; sid:2011581; rev:9;) # alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Vulnerable Java Version 1.6.x Detected"; flow:established,to_server; content:"Java/1.6.0_"; http_user_agent; content:!"71"; within:2; http_user_agent; flowbits:set,ET.http.javaclient.vulnerable; threshold: type limit, count 2, seconds 300, track by_src; reference:url,javatester.org/version.html; classtype:bad-unknown; sid:2011582; rev:33;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Vulnerable Java Version 1.7.x Detected"; flow:established,to_server; content:"Java/1.7.0_"; http_user_agent; content:!"51"; within:2; http_user_agent; flowbits:set,ET.http.javaclient.vulnerable; threshold: type limit, count 2, seconds 300, track by_src; reference:url,javatester.org/version.html; classtype:bad-unknown; sid:2014297; rev:25;) I only want to remove rule 2011582, not the others. If I am understanding ok, If I put the following in my modifysid.conf: 2011582 "flowbits:set,ET.http.javaclient.vulnerable;" "" I disable all these rules ... is it ok?? And these rule dependencies, too: root@nsm01:/tmp/j/rules # grep ET.http.javaclient.vulnerable * | grep isset emerging-current_events.rules:alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Phoenix Java MIDI Exploit Received By Vulnerable Client"; flow:established,to_client; flowbits:isset,ET.http.javaclient.vulnerable; content:"META-INF/services/javax.sound.midi.spi.MidiDeviceProvider"; classtype:bad-unknown; sid:2013484; rev:3;) emerging-current_events.rules:alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS - Modified Metasploit Jar"; flow:from_server,established; flowbits:isset,ET.http.javaclient.vulnerable; content:"msf|2f|x|2f|Payload"; classtype:trojan-activity; sid:2014560; rev:6;) emerging-current_events.rules:alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Incognito/RedKit Exploit Kit vulnerable Java payload request to /1digit.html"; flowbits:isset,ET.http.javaclient.vulnerable; flow:established,to_server; urilen:7; content:".html"; http_uri; content:" Java/1"; http_header; pcre:"/\/[0-9]\.html$/U"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2014750; rev:2;) emerging-current_events.rules:alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Unknown java_ara Bin Download"; flow:established,to_server; content:"java_ara&name="; http_uri; content:"/forum/"; http_uri; content:".php?"; http_uri; flowbits:isset,ET.http.javaclient.vulnerable; classtype:trojan-activity; sid:2014805; rev:2;) emerging-current_events.rules:alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Blackhole obfuscated Java EXE Download by Vulnerable Version - Likely Driveby"; flowbits:isset,ET.http.javaclient.vulnerable; flow:established,to_client; content:"|0d 0a 9c 62 d8 66 66 66 66 54|"; classtype:trojan-activity; sid:2014909; rev:2;) emerging-current_events.rules:alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Scalaxy Jar file"; flow:to_client,established; content:"|0d 0a 0d 0a|PK"; content:"C1.class"; fast_pattern; distance:0; content:"C2.class"; distance:0; flowbits:isset,ET.http.javaclient.vulnerable; classtype:trojan-activity; sid:2014983; rev:2;) emerging-current_events.rules:alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS SofosFO Jar file 10/17/12"; flow:to_client,established; file_data; content:"PK"; within:2; content:"SecretKey.class"; fast_pattern; distance:0; content:"Mac.class"; distance:0; flowbits:isset,ET.http.javaclient.vulnerable; classtype:trojan-activity; sid:2015812; rev:3;) emerging-current_events.rules:alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Metasploit CVE-2012-1723 Path (Seen in Unknown EK) 10/29/12"; flow:to_client,established; file_data; content:"PK"; within:2; content:"cve1723/"; flowbits:isset,ET.http.javaclient.vulnerable; classtype:trojan-activity; sid:2015849; rev:3;) emerging-current_events.rules:alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS SofosFO Jar file 09 Nov 12"; flow:to_client,established; file_data; content:"PK"; within:2; content:"SecretKey.class"; fast_pattern:only; content:"Anony"; pcre:"/^(mous)?\.class/R"; flowbits:isset,ET.http.javaclient.vulnerable; classtype:trojan-activity; sid:2015876; rev:3;) emerging-current_events.rules:alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS RedKit Exploit Kit Vulnerable Java Payload Request URI (1)"; flowbits:isset,ET.http.javaclient.vulnerable; flow:established,to_server; content:"/33.html"; depth:8; http_uri; urilen:8; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2015930; rev:2;) emerging-current_events.rules:alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS RedKit Exploit Kit vulnerable Java Payload Request to URI (2)"; flowbits:isset,ET.http.javaclient.vulnerable; flow:established,to_server; content:"/41.html"; depth:8; http_uri; urilen:8; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2015931; rev:2;) emerging-info.rules:alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO JAVA - Java Archive Download"; flow:from_server,established; flowbits:isnotset,ET.http.javaclient.vulnerable; flowbits:isset,ET.http.javaclient; content:"|0D 0A 0D 0A|PK"; classtype:trojan-activity; sid:2014472; rev:6;) emerging-info.rules:alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO JAVA - Java Archive Download By Vulnerable Client"; flow:from_server,established; flowbits:isset,ET.http.javaclient.vulnerable; content:"|0D 0A 0D 0A|PK"; classtype:trojan-activity; sid:2014473; rev:4;) emerging-info.rules:alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO JAVA - Java Class Download"; flow:from_server,established; flowbits:isnotset,ET.http.javaclient.vulnerable; flowbits:isset,ET.http.javaclient; content:"|0D 0A 0D 0A CA FE BA BE|"; classtype:trojan-activity; sid:2014474; rev:6;) emerging-info.rules:alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO JAVA - Java Class Download By Vulnerable Client"; flow:from_server,established; flowbits:isset,ET.http.javaclient.vulnerable; content:"|0D 0A 0D 0A CA FE BA BE|"; classtype:trojan-activity; sid:2014475; rev:6;) emerging-info.rules:alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Java Serialized Data via vulnerable client"; flow:established,from_server; flowbits:isset,ET.http.javaclient.vulnerable; file_data; content:"|ac ed|"; within:2; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016502; rev:2;) emerging-info.rules:alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO file possibly containing Serialized Data file"; flow:to_client,established; file_data; content:"PK"; within:2; content:".serPK"; flowbits:isset,ET.http.javaclient.vulnerable; classtype:trojan-activity; sid:2016505; rev:2;) emerging-policy.rules:alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY DRIVEBY Generic - EXE Download by Java"; flow:from_server,established; flowbits:isnotset,ET.http.javaclient.vulnerable; flowbits:isset,ET.http.javaclient; content:"|0d 0a 0d 0a|MZ"; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; within:4; threshold:type limit,track by_src,count 1,seconds 3; classtype:trojan-activity; sid:2014471; rev:6;) emerging-trojan.rules:alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Java EXE Download by Vulnerable Version - Likely Driveby"; flowbits:isset,ET.http.javaclient.vulnerable; flow:established,to_client; content:"|0d 0a 0d 0a|MZ"; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; within:4; threshold:type limit,track by_src,count 1,seconds 3; classtype:trojan-activity; sid:2013036; rev:7;) Is this correct?? ------------------------------------------------------------------------------ Learn Graph Databases - Download FREE O'Reilly Book "Graph Databases" is the definitive new guide to graph databases and their applications. Written by three acclaimed leaders in the field, this first edition is now available. Download your free book today! http://p.sf.net/sfu/NeoTech _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------ Learn Graph Databases - Download FREE O'Reilly Book "Graph Databases" is the definitive new guide to graph databases and their applications. Written by three acclaimed leaders in the field, this first edition is now available. Download your free book today! http://p.sf.net/sfu/NeoTech
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Re: Pulledpork doesn't disable some rules C. L. Martinez (Apr 13)
- Re: Pulledpork doesn't disable some rules Y M (Apr 13)
- Re: Pulledpork doesn't disable some rules C. L. Martinez (Apr 14)
- Re: Pulledpork doesn't disable some rules C. L. Martinez (Apr 14)
- Re: Pulledpork doesn't disable some rules Y M (Apr 14)
- Re: Pulledpork doesn't disable some rules C. L. Martinez (Apr 14)
- Re: Pulledpork doesn't disable some rules Y M (Apr 14)
- Re: Pulledpork doesn't disable some rules C. L. Martinez (Apr 14)
- Re: Pulledpork doesn't disable some rules Y M (Apr 13)
- Re: Pulledpork doesn't disable some rules waldo kitty (Apr 14)
- Re: Pulledpork doesn't disable some rules C. L. Martinez (Apr 14)
- Re: Pulledpork doesn't disable some rules JJC (Apr 15)