[Snort-sigs] Disabled rule still alerting

Tony Reusser treusser at ...3727...
Wed Aug 29 14:54:24 EDT 2012


How do you suppress it?

 

It is a shared-object dynamic rule that does not have a gen-id/sig-id in gen-msg.map.

 

I’m following the recommended procedure by putting it in the ‘disablesid.conf’ file when running pulledpork.  I even tried the ‘-E’ option so only enabled rules get written to the outfile (so the rule doesn’t even exist anymore) and I STILL get the alerts!!!

 

From: mlarchuleta at ...2420... [mailto:mlarchuleta at ...2420...] 
Sent: Wednesday, August 29, 2012 12:45 PM
To: Tony Reusser
Subject: Re: [Snort-sigs] Disabled rule still alerting

 

Suppress the rule, don't comment it out.

Sent from my iPhone


On Aug 29, 2012, at 12:15 PM, "Tony Reusser" <treusser at ...3727...> wrote:

I’ve recently installed the latest 2.9.3.0 VRT ruleset along with the latest ET rules (as of 8/27)

 

I’m getting TONS of hits for the following:

 

3:21355 (BAD-TRAFFIC potential dns cache poisoning attempt - mismatched txid)

 

Here is my disablesid.conf:

 

# BAD-TRAFFIC

MS10-024,cve:2010-1690,3:21355,3:19187

 

# GPL ICMP_INFO

1:2100368,1:2100366

 

# SMTP

1:2000328

 

# DNS

1:2003195

 

Here is an excerpt from my ‘snort.rules’ showing it is indeed commented-out:

 

# alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"BAD-TRAFFIC potential dns cache poisoning attempt - mismatched txid"; sid:21355; gid:3; rev:2; classtype:attempted-recon; reference:cve,2010-1690; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-024; metadata: engine shared, soid 3|21355;)

 

Yet, I continue to get thousands of alerts.  Can anybody help me figure out how to turn these off?

 

Thanks

 

Tony

 

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/

_______________________________________________
Snort-sigs mailing list
Snort-sigs at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20120829/f91ea1e7/attachment.html>


More information about the Snort-sigs mailing list