Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Fwd: Disablesid.conf does not disable all rules

From: Forensix Land <forensixland () gmail com>
Date: Mon, 24 Apr 2017 00:11:13 -0400



Hi,
Seems the disabledsid.conf file does not disable all the rules.
All enablesid.conf, dropsid.conf and modifysid.conf files are blank. Below is the pcre in disabledsid.conf:
  pcre:connectivity-ips\s*drop
 
But I still saw rules are enabled. Below are some examples.
###grep "connectivity-ips" rules/snort.vrt.rules |grep -v "^#"
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Gong Da exploit kit Java exploit requested"; 
flow:to_server,established; content:"/ckwm.jpg"; fast_pattern:only; http_uri; content:" Java/1"; http_header; 
flowbits:set,file.exploit_kit.jar; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy 
max-detect-ips drop, policy security-ips drop, service http; reference:cve,2011-2140; reference:cve,2011-3544; 
reference:cve,2012-0003; reference:cve,2012-0422; reference:cve,2012-0507; reference:cve,2012-0634; 
reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:cve,2012-4792; 
reference:cve,2012-4969; reference:cve,2012-5076; reference:cve,2013-1493; classtype:trojan-activity; sid:27704; 
rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Gong Da exploit kit Java exploit requested"; 
flow:to_server,established; content:"/wmck.jpg"; fast_pattern:only; http_uri; content:" Java/1"; http_header; 
flowbits:set,file.exploit_kit.jar; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy 
max-detect-ips drop, policy security-ips drop, service http; reference:cve,2011-2140; reference:cve,2011-3544; 
reference:cve,2012-0003; reference:cve,2012-0422; reference:cve,2012-0507; reference:cve,2012-0634; 
reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:cve,2012-4792; 
reference:cve,2012-4969; reference:cve,2012-5076; reference:cve,2013-1493; classtype:trojan-activity; sid:27705; 
rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"EXPLOIT-KIT CottonCastle exploit kit Adobe flash outbound 
connection"; flow:to_server,established; content:"/3/"; content:"/"; within:1; distance:35; 
pcre:"/\/3\/[A-Z]{2}\/[a-f0-9]{32}\/\d+\.\d+\.\d+\.\d+\//"; flowbits:set,file.exploit_kit.flash; metadata:policy 
balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service http; reference:cve,2013-0634; 
reference:cve,2014-0515; reference:url,malware.dontneedcoffee.com/2014/06/cottoncastle.html; 
classtype:trojan-activity; sid:31276; rev:2;)

Please advice.
 
FL

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: