Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Pulledpork doesn't disable some rules

From: Y M <snort () outlook com>
Date: Mon, 14 Apr 2014 15:20:21 +0000







I only want to remove rule 2011582, not the others. If I am
understanding ok, If I put the following in my modifysid.conf:

2011582 "flowbits:set,ET.http.javaclient.vulnerable;" ""

I disable all these rules ... is it ok??

 
Since you specified the sid for PulledPork, it should only modify that particular signature.
 
YM
 

Date: Mon, 14 Apr 2014 13:40:51 +0000
From: carlopmart () gmail com
To: snort-users () lists sourceforge net
Subject: Re: [Snort-users] Pulledpork doesn't disable some rules

On Mon, Apr 14, 2014 at 1:28 PM, Y M <snort () outlook com> wrote:

Ok, I have applied the following solution posted in
https://code.google.com/p/pulledpork/issues/detail?id=82, using
modifysid option without luck.


This depends on how you are modifying  the rule in the modifysid.conf file,
and if there are other rules that check if this particular flowbit is set.
For example:

Rule A --> sets --> flowbit 1
Rule B --> checks (isset/isnotset) --> flowbit 1

In this case, if you disable Rule A, PulledPork will re-enable it since
another rule (Rule B) is checking the same flowbit (flowbit 1).

The order in which PulledPork will process the rules (modifysid.conf first)
is already committed to PulledPork v0.7. Which means that if modify (pcre or
so as documented) your rule in the modifysid.conf file by removing the
flowbits setting, it will be processed first, hence, the dependency should
be removed already before moving along.



Thanks, YM. Uhmm, I see but then I have a problem. In the
EmergingThreats package rules exists the following rules with the same
flowbit:

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY
Vulnerable Java Version 1.4.x Detected"; flow:established,to_server;
content:"Java/1.4."; http_user_agent;
flowbits:set,ET.http.javaclient.vulnerable;  threshold: type limit,
count 2, seconds 300, track by_src;
reference:url,javatester.org/version.html; classtype:bad-unknown;
sid:2011584; rev:11;)

#
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY
Vulnerable Java Version 1.5.x Detected"; flow:established,to_server;
content:" Java/1.5."; nocase; http_header;
flowbits:set,ET.http.javaclient.vulnerable; threshold: type limit,
count 2, seconds 300, track by_src;
reference:url,javatester.org/version.html; classtype:bad-unknown;
sid:2011581; rev:9;)

#
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY
Vulnerable Java Version 1.6.x Detected"; flow:established,to_server;
content:"Java/1.6.0_"; http_user_agent; content:!"71"; within:2;
http_user_agent; flowbits:set,ET.http.javaclient.vulnerable;
threshold: type limit, count 2, seconds 300, track by_src;
reference:url,javatester.org/version.html; classtype:bad-unknown;
sid:2011582; rev:33;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY
Vulnerable Java Version 1.7.x Detected"; flow:established,to_server;
content:"Java/1.7.0_"; http_user_agent; content:!"51"; within:2;
http_user_agent; flowbits:set,ET.http.javaclient.vulnerable;
threshold: type limit, count 2, seconds 300, track by_src;
reference:url,javatester.org/version.html; classtype:bad-unknown;
sid:2014297; rev:25;)

I only want to remove rule 2011582, not the others. If I am
understanding ok, If I put the following in my modifysid.conf:

2011582 "flowbits:set,ET.http.javaclient.vulnerable;" ""

I disable all these rules ... is it ok??

And these rule dependencies, too:

root@nsm01:/tmp/j/rules # grep ET.http.javaclient.vulnerable * | grep isset
emerging-current_events.rules:alert http $EXTERNAL_NET any ->
$HOME_NET any (msg:"ET CURRENT_EVENTS Phoenix Java MIDI Exploit
Received By Vulnerable Client"; flow:established,to_client;
flowbits:isset,ET.http.javaclient.vulnerable;
content:"META-INF/services/javax.sound.midi.spi.MidiDeviceProvider";
classtype:bad-unknown; sid:2013484; rev:3;)
emerging-current_events.rules:alert http $EXTERNAL_NET any ->
$HOME_NET any (msg:"ET CURRENT_EVENTS - Modified Metasploit Jar";
flow:from_server,established;
flowbits:isset,ET.http.javaclient.vulnerable;
content:"msf|2f|x|2f|Payload"; classtype:trojan-activity; sid:2014560;
rev:6;)
emerging-current_events.rules:alert http $HOME_NET any ->
$EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Incognito/RedKit Exploit Kit
vulnerable Java payload request to /1digit.html";
flowbits:isset,ET.http.javaclient.vulnerable;
flow:established,to_server; urilen:7; content:".html"; http_uri;
content:" Java/1"; http_header; pcre:"/\/[0-9]\.html$/U";
flowbits:set,et.exploitkitlanding; classtype:trojan-activity;
sid:2014750; rev:2;)
emerging-current_events.rules:alert http $HOME_NET any ->
$EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Unknown java_ara Bin
Download"; flow:established,to_server; content:"java_ara&name=";
http_uri; content:"/forum/"; http_uri; content:".php?"; http_uri;
flowbits:isset,ET.http.javaclient.vulnerable;
classtype:trojan-activity; sid:2014805; rev:2;)
emerging-current_events.rules:alert http $EXTERNAL_NET any ->
$HOME_NET any (msg:"ET CURRENT_EVENTS Blackhole obfuscated Java EXE
Download by Vulnerable Version - Likely Driveby";
flowbits:isset,ET.http.javaclient.vulnerable;
flow:established,to_client; content:"|0d 0a 9c 62 d8 66 66 66 66 54|";
classtype:trojan-activity; sid:2014909; rev:2;)
emerging-current_events.rules:alert http $EXTERNAL_NET any ->
$HOME_NET any (msg:"ET CURRENT_EVENTS Scalaxy Jar file";
flow:to_client,established; content:"|0d 0a 0d 0a|PK";
content:"C1.class"; fast_pattern; distance:0; content:"C2.class";
distance:0; flowbits:isset,ET.http.javaclient.vulnerable;
classtype:trojan-activity; sid:2014983; rev:2;)
emerging-current_events.rules:alert http $EXTERNAL_NET any ->
$HOME_NET any (msg:"ET CURRENT_EVENTS SofosFO Jar file 10/17/12";
flow:to_client,established; file_data; content:"PK"; within:2;
content:"SecretKey.class"; fast_pattern; distance:0;
content:"Mac.class"; distance:0;
flowbits:isset,ET.http.javaclient.vulnerable;
classtype:trojan-activity; sid:2015812; rev:3;)
emerging-current_events.rules:alert tcp $EXTERNAL_NET $HTTP_PORTS ->
$HOME_NET any (msg:"ET CURRENT_EVENTS Metasploit CVE-2012-1723 Path
(Seen in Unknown EK) 10/29/12"; flow:to_client,established; file_data;
content:"PK"; within:2; content:"cve1723/";
flowbits:isset,ET.http.javaclient.vulnerable;
classtype:trojan-activity; sid:2015849; rev:3;)
emerging-current_events.rules:alert http $EXTERNAL_NET any ->
$HOME_NET any (msg:"ET CURRENT_EVENTS SofosFO Jar file 09 Nov 12";
flow:to_client,established; file_data; content:"PK"; within:2;
content:"SecretKey.class"; fast_pattern:only; content:"Anony";
pcre:"/^(mous)?\.class/R";
flowbits:isset,ET.http.javaclient.vulnerable;
classtype:trojan-activity; sid:2015876; rev:3;)
emerging-current_events.rules:alert http $HOME_NET any ->
$EXTERNAL_NET any (msg:"ET CURRENT_EVENTS RedKit Exploit Kit
Vulnerable Java Payload Request URI (1)";
flowbits:isset,ET.http.javaclient.vulnerable;
flow:established,to_server; content:"/33.html"; depth:8; http_uri;
urilen:8; flowbits:set,et.exploitkitlanding;
classtype:trojan-activity; sid:2015930; rev:2;)
emerging-current_events.rules:alert http $HOME_NET any ->
$EXTERNAL_NET any (msg:"ET CURRENT_EVENTS RedKit Exploit Kit
vulnerable Java Payload Request to URI (2)";
flowbits:isset,ET.http.javaclient.vulnerable;
flow:established,to_server; content:"/41.html"; depth:8; http_uri;
urilen:8; flowbits:set,et.exploitkitlanding;
classtype:trojan-activity; sid:2015931; rev:2;)
emerging-info.rules:alert http $EXTERNAL_NET any -> $HOME_NET any
(msg:"ET INFO JAVA - Java Archive Download";
flow:from_server,established;
flowbits:isnotset,ET.http.javaclient.vulnerable;
flowbits:isset,ET.http.javaclient; content:"|0D 0A 0D 0A|PK";
classtype:trojan-activity; sid:2014472; rev:6;)
emerging-info.rules:alert http $EXTERNAL_NET any -> $HOME_NET any
(msg:"ET INFO JAVA - Java Archive Download By Vulnerable Client";
flow:from_server,established;
flowbits:isset,ET.http.javaclient.vulnerable; content:"|0D 0A 0D
0A|PK"; classtype:trojan-activity; sid:2014473; rev:4;)
emerging-info.rules:alert http $EXTERNAL_NET any -> $HOME_NET any
(msg:"ET INFO JAVA - Java Class Download";
flow:from_server,established;
flowbits:isnotset,ET.http.javaclient.vulnerable;
flowbits:isset,ET.http.javaclient; content:"|0D 0A 0D 0A CA FE BA
BE|"; classtype:trojan-activity; sid:2014474; rev:6;)
emerging-info.rules:alert http $EXTERNAL_NET any -> $HOME_NET any
(msg:"ET INFO JAVA - Java Class Download By Vulnerable Client";
flow:from_server,established;
flowbits:isset,ET.http.javaclient.vulnerable; content:"|0D 0A 0D 0A CA
FE BA BE|"; classtype:trojan-activity; sid:2014475; rev:6;)
emerging-info.rules:alert http $EXTERNAL_NET any -> $HOME_NET any
(msg:"ET INFO Java Serialized Data via vulnerable client";
flow:established,from_server;
flowbits:isset,ET.http.javaclient.vulnerable; file_data; content:"|ac
ed|"; within:2; flowbits:set,et.exploitkitlanding;
classtype:trojan-activity; sid:2016502; rev:2;)
emerging-info.rules:alert http $EXTERNAL_NET any -> $HOME_NET any
(msg:"ET INFO file possibly containing Serialized Data file";
flow:to_client,established; file_data; content:"PK"; within:2;
content:".serPK"; flowbits:isset,ET.http.javaclient.vulnerable;
classtype:trojan-activity; sid:2016505; rev:2;)
emerging-policy.rules:alert http $EXTERNAL_NET any -> $HOME_NET any
(msg:"ET POLICY DRIVEBY Generic - EXE Download by Java";
flow:from_server,established;
flowbits:isnotset,ET.http.javaclient.vulnerable;
flowbits:isset,ET.http.javaclient; content:"|0d 0a 0d 0a|MZ";
byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64;
within:4; threshold:type limit,track by_src,count 1,seconds 3;
classtype:trojan-activity; sid:2014471; rev:6;)
emerging-trojan.rules:alert http $EXTERNAL_NET any -> $HOME_NET any
(msg:"ET TROJAN Java EXE Download by Vulnerable Version - Likely
Driveby"; flowbits:isset,ET.http.javaclient.vulnerable;
flow:established,to_client; content:"|0d 0a 0d 0a|MZ";
byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64;
within:4; threshold:type limit,track by_src,count 1,seconds 3;
classtype:trojan-activity; sid:2013036; rev:7;)

Is this correct??

------------------------------------------------------------------------------
Learn Graph Databases - Download FREE O'Reilly Book
"Graph Databases" is the definitive new guide to graph databases and their
applications. Written by three acclaimed leaders in the field,
this first edition is now available. Download your free book today!
http://p.sf.net/sfu/NeoTech
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!



                                          
------------------------------------------------------------------------------
Learn Graph Databases - Download FREE O'Reilly Book
"Graph Databases" is the definitive new guide to graph databases and their
applications. Written by three acclaimed leaders in the field,
this first edition is now available. Download your free book today!
http://p.sf.net/sfu/NeoTech
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: