Re: Local.Rules rule misfiring

[James Lay <jlay () slave-tothe-box net>]

On 2016-04-26 08:05, Clint Conner wrote:
> Greetings,
>
> I have the following rule added to my local.rules file.  The rule it
> replaces is disabled in disabledsids.conf.  The rule is firing
> incorrectly, though.  It alerts on the first IP address, which is
> 188.172.212.76.  If I understand he rule correctly, it should not be
> alerting on this IP address.
>
> alert tcp $HOME_NET any ->
> [!188.172.212.76,!208.87.232.0/21,$EXTERNAL_NET] $HTTP_PORTS (msg:"ET
> MALWARE User-Agent (Mozilla/4.0
> (compatible))";flow:to_server,established; content:"User-Agent|3a|
> Mozilla/4.0 (compatible|29 0d 0a|"; fast_pattern:18,20; http_header;
> content:!"citrixonline.com"; http_header;
> reference:url,doc.emergingthreats.net/bin/view/Main/2008974;
> classtype:Trojan-activity; sid:900000010;rev:1;)
>
> There are more IP address ranges that are ! out, but I have omitted
> them.  I copied the rule directly from the pulledpork file and just
> added the first IP address to it.  I still have alerts pouring in when
> anything goes to that first IP address.
>
> Thank you,
>
> -Clint
>
> *************************
> Clint J. Conner
> Managed Services Manager
>
> Plummer Slade, Inc.
>
> _"Computer Networking & IT Solutions"_
> 428 Forbes Avenue, Suite 2450 [1]
> Pittsburgh, PA 15219 [1]
> Tel: 412.261.5600 x215 [2]
> Fax: 412.261.1528 [3]
> conner () plummerslade com
>
> www.plummerslade.com [4]
>
> _ _
>
> _“EXCLUSIVELY ENDORSED FOR IT SOLUTIONS BY THE ALLEGHENY COUNTY BAR
> ASSOCIATION (ACBA).”_
>
>
>
> Links:
> ------
> [1] x-apple-data-detectors://3/0
> [2] tel:412.261.5600;215
> [3] tel:412.261.1528
> [4] http://www.plummerslade.com/
>
> ------------------------------------------------------------------------------
> Find and fix application performance issues faster with Applications 
> Manager
> Applications Manager provides deep performance insights into multiple 
> tiers of
> your business applications. It resolves application problems quickly 
> and
> reduces your MTTR. Get your free trial!
> https://ad.doubleclick.net/ddm/clk/302982198;130105516;z
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs () lists sourceforge net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> http://www.snort.org
>
>
> Please visit http://blog.snort.org for the latest news about Snort!

Check out detection filters:

http://manual-snort-org.s3-website-us-east-1.amazonaws.com/node34.html#detection_filter

James

------------------------------------------------------------------------------
Find and fix application performance issues faster with Applications Manager
Applications Manager provides deep performance insights into multiple tiers of
your business applications. It resolves application problems quickly and
reduces your MTTR. Get your free trial!
https://ad.doubleclick.net/ddm/clk/302982198;130105516;z
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!