[Snort-sigs] Disabled rule still alerting - UPDATE - FIXED !

Joel Esler jesler at ...435...
Wed Aug 29 15:43:13 EDT 2012


I try not to link anything when it comes to rules and stuff.  Absolute paths ftw.

On Aug 29, 2012, at 3:32 PM, "Tony Reusser" <treusser at ...3727...> wrote:

> UPDATE---
>  
> I think I fixed it.
>  
> I created a symbolic link to my OLD so_rules directory before I installed pulledpork.  I deleted the link and created a new one to the pulledpork-created stub file directory, but I used the same name for the link.  Apparently some weird stuff can happen when you start messing around with file links.  I re-created the link using a different name and that seems to have fixed the problem.  It seems I did indeed have a duplicate set of rules that wasn’t intended.
>  
> Thanks for the input.  It helped me look in the right direction.
>  
> *still a linux n00b*
>  
> From: Tony Reusser [mailto:treusser at ...3727...] 
> Sent: Wednesday, August 29, 2012 12:40 PM
> To: snort-sigs at lists.sourceforge.net
> Subject: Re: [Snort-sigs] Disabled rule still alerting
>  
> Yes,
>  
> Snort and barnyard2 restarted (NOT SIGHUP’d)
> I even rebooted the box just to make sure.
>  
> Pulledpork used to create my two “uber-rules” files:
>  
> /etc/rules/snort.rules
> /etc/so_rules/so_rules.rules
>  
> Snort.conf modified to include these ONLY.
>  
> No duplicate rules.  I double and triple checked!
>  
> It looks like the alert is triggering on ALL of my legitimate DNS traffic.  This is getting very annoying!  Thinking about going back to basic configuration (VRT rules only) until a new ruleset is available.  I’m only a ‘registered’ user, so I’m running on 30-day-old rules anyway.
>  
> From: Vladimir Gajić [mailto:vladogajic at ...2420...] 
> Sent: Wednesday, August 29, 2012 12:25 PM
> To: Tony Reusser
> Subject: Re: [Snort-sigs] Disabled rule still alerting
>  
> I don't know how experienced you are, so I'll give it a try with this silly idea:
> 
> Did you restart snort, to force it to reload signatures?
> Or, if you played with that rule earlier, is it possible that you copied it to another file, so you have it doubled?
> 
> Greetings,
> Vladimir
> 
> 2012/8/29 Tony Reusser <treusser at ...3727...>
> I’ve recently installed the latest 2.9.3.0 VRT ruleset along with the latest ET rules (as of 8/27)
>  
> I’m getting TONS of hits for the following:
>  
> 3:21355 (BAD-TRAFFIC potential dns cache poisoning attempt - mismatched txid)
>  
> Here is my disablesid.conf:
>  
> # BAD-TRAFFIC
> MS10-024,cve:2010-1690,3:21355,3:19187
>  
> # GPL ICMP_INFO
> 1:2100368,1:2100366
>  
> # SMTP
> 1:2000328
>  
> # DNS
> 1:2003195
>  
> Here is an excerpt from my ‘snort.rules’ showing it is indeed commented-out:
>  
> # alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"BAD-TRAFFIC potential dns cache poisoning attempt - mismatched txid"; sid:21355; gid:3; rev:2; classtype:attempted-recon; reference:cve,2010-1690; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-024; metadata: engine shared, soid 3|21355;)
>  
> Yet, I continue to get thousands of alerts.  Can anybody help me figure out how to turn these off?
>  
> Thanks
>  
> Tony
>  
> 
> ------------------------------------------------------------------------------
> Live Security Virtual Conference
> Exclusive live event will cover all the ways today's security and
> threat landscape has changed and how IT managers can respond. Discussions
> will include endpoint security, mobile security and the latest in malware
> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> http://www.snort.org
> 
> 
> Please visit http://blog.snort.org for the latest news about Snort!
>  
> ------------------------------------------------------------------------------
> Live Security Virtual Conference
> Exclusive live event will cover all the ways today's security and 
> threat landscape has changed and how IT managers can respond. Discussions 
> will include endpoint security, mobile security and the latest in malware 
> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/_______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> http://www.snort.org
> 
> 
> Please visit http://blog.snort.org for the latest news about Snort!

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20120829/128f81f2/attachment.html>


More information about the Snort-sigs mailing list