[Snort-sigs] Disabled rule still alerting

Joel Esler jesler at ...435...
Wed Aug 29 15:20:43 EDT 2012


gen_id 3, sig_id 21355

should suppress it.

On Aug 29, 2012, at 2:54 PM, Tony Reusser <treusser at ...3727...> wrote:

> How do you suppress it?
>  
> It is a shared-object dynamic rule that does not have a gen-id/sig-id in gen-msg.map.
>  
> I’m following the recommended procedure by putting it in the ‘disablesid.conf’ file when running pulledpork.  I even tried the ‘-E’ option so only enabled rules get written to the outfile (so the rule doesn’t even exist anymore) and I STILL get the alerts!!!
>  
> From: mlarchuleta at ...2420... [mailto:mlarchuleta at ...2420...] 
> Sent: Wednesday, August 29, 2012 12:45 PM
> To: Tony Reusser
> Subject: Re: [Snort-sigs] Disabled rule still alerting
>  
> Suppress the rule, don't comment it out.
> 
> Sent from my iPhone
> 
> On Aug 29, 2012, at 12:15 PM, "Tony Reusser" <treusser at ...3727...> wrote:
> 
> I’ve recently installed the latest 2.9.3.0 VRT ruleset along with the latest ET rules (as of 8/27)
>  
> I’m getting TONS of hits for the following:
>  
> 3:21355 (BAD-TRAFFIC potential dns cache poisoning attempt - mismatched txid)
>  
> Here is my disablesid.conf:
>  
> # BAD-TRAFFIC
> MS10-024,cve:2010-1690,3:21355,3:19187
>  
> # GPL ICMP_INFO
> 1:2100368,1:2100366
>  
> # SMTP
> 1:2000328
>  
> # DNS
> 1:2003195
>  
> Here is an excerpt from my ‘snort.rules’ showing it is indeed commented-out:
>  
> # alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"BAD-TRAFFIC potential dns cache poisoning attempt - mismatched txid"; sid:21355; gid:3; rev:2; classtype:attempted-recon; reference:cve,2010-1690; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-024; metadata: engine shared, soid 3|21355;)
>  
> Yet, I continue to get thousands of alerts.  Can anybody help me figure out how to turn these off?
>  
> Thanks
>  
> Tony
>  
> ------------------------------------------------------------------------------
> Live Security Virtual Conference
> Exclusive live event will cover all the ways today's security and 
> threat landscape has changed and how IT managers can respond. Discussions 
> will include endpoint security, mobile security and the latest in malware 
> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> http://www.snort.org
> 
> 
> Please visit http://blog.snort.org for the latest news about Snort!
> ------------------------------------------------------------------------------
> Live Security Virtual Conference
> Exclusive live event will cover all the ways today's security and 
> threat landscape has changed and how IT managers can respond. Discussions 
> will include endpoint security, mobile security and the latest in malware 
> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/_______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> http://www.snort.org
> 
> 
> Please visit http://blog.snort.org for the latest news about Snort!

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20120829/96275691/attachment.html>


More information about the Snort-sigs mailing list