Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Local.Rules rule misfiring

From: "Rodgers, Anthony (DTMB)" <RodgersA1 () michigan gov>
Date: Fri, 29 Apr 2016 12:21:04 +0000
As I read your rule, it will match on $EXTERNAL_NET - IP address matching is not first-match, AFAIK.

If you want to exclude (a) specific address(es) from causing a rule to fire, you should look at event suppression or 
detection_filter, not negation.

--
Anthony Rodgers
Security Analyst
Michigan Security Operations Center (MiSOC)
DTMB, Michigan Cyber Security

From: Clint Conner [mailto:conner () plummerslade com]
Sent: Tuesday, April 26, 2016 10:06
To: snort-sigs () lists sourceforge net
Subject: [Snort-sigs] Local.Rules rule misfiring

Greetings,

I have the following rule added to my local.rules file.  The rule it replaces is disabled in disabledsids.conf.  The 
rule is firing incorrectly, though.  It alerts on the first IP address, which is 188.172.212.76.  If I understand he 
rule correctly, it should not be alerting on this IP address.

alert tcp $HOME_NET any -> [!188.172.212.76,!208.87.232.0/21,$EXTERNAL_NET] $HTTP_PORTS (msg:"ET MALWARE User-Agent 
(Mozilla/4.0 (compatible))";flow:to_server,established; content:"User-Agent|3a| Mozilla/4.0 (compatible|29 0d 0a|"; 
fast_pattern:18,20; http_header; content:!"citrixonline.com"; http_header; 
reference:url,doc.emergingthreats.net/bin/view/Main/2008974; classtype:Trojan-activity; sid:900000010;rev:1;)

There are more IP address ranges that are ! out, but I have omitted them.  I copied the rule directly from the 
pulledpork file and just added the first IP address to it.  I still have alerts pouring in when anything goes to that 
first IP address.

Thank you,

-Clint

*************************
Clint J. Conner
Managed Services Manager
Plummer Slade, Inc.
"Computer Networking & IT Solutions"
428 Forbes Avenue, Suite 2450<x-apple-data-detectors://3/0>
Pittsburgh, PA 15219<x-apple-data-detectors://3/0>
Tel: 412.261.5600 x215<tel:412.261.5600;215>
Fax: 412.261.1528<tel:412.261.1528>
conner () plummerslade com<mailto:conner () plummerslade com>
www.plummerslade.com<http://www.plummerslade.com/>

"Exclusively endorsed for IT solutions by the Allegheny County Bar Association (ACBA)."


------------------------------------------------------------------------------
Find and fix application performance issues faster with Applications Manager
Applications Manager provides deep performance insights into multiple tiers of
your business applications. It resolves application problems quickly and
reduces your MTTR. Get your free trial!
https://ad.doubleclick.net/ddm/clk/302982198;130105516;z
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!
Previous By Date Next
Previous By Thread Next

Current thread: