[Snort-sigs] Disabled rule still alerting

Tony Reusser treusser at ...3727...
Wed Aug 29 14:15:59 EDT 2012


I've recently installed the latest 2.9.3.0 VRT ruleset along with the latest
ET rules (as of 8/27)

 

I'm getting TONS of hits for the following:

 

3:21355 (BAD-TRAFFIC potential dns cache poisoning attempt - mismatched
txid)

 

Here is my disablesid.conf:

 

# BAD-TRAFFIC

MS10-024,cve:2010-1690,3:21355,3:19187

 

# GPL ICMP_INFO

1:2100368,1:2100366

 

# SMTP

1:2000328

 

# DNS

1:2003195

 

Here is an excerpt from my 'snort.rules' showing it is indeed commented-out:

 

# alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"BAD-TRAFFIC potential
dns cache poisoning attempt - mismatched txid"; sid:21355; gid:3; rev:2;
classtype:attempted-recon; reference:cve,2010-1690;
reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-024;
metadata: engine shared, soid 3|21355;)

 

Yet, I continue to get thousands of alerts.  Can anybody help me figure out
how to turn these off?

 

Thanks

 

Tony

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20120829/b681ce7c/attachment.html>


More information about the Snort-sigs mailing list