[Snort-sigs] Local.Rules rule misfiring

James Lay jlay at ...3266...
Tue Apr 26 10:29:02 EDT 2016


On 2016-04-26 08:05, Clint Conner wrote:
> Greetings,
> 
> I have the following rule added to my local.rules file.  The rule it
> replaces is disabled in disabledsids.conf.  The rule is firing
> incorrectly, though.  It alerts on the first IP address, which is
> 188.172.212.76.  If I understand he rule correctly, it should not be
> alerting on this IP address.
> 
> alert tcp $HOME_NET any ->
> [!188.172.212.76,!208.87.232.0/21,$EXTERNAL_NET] $HTTP_PORTS (msg:"ET
> MALWARE User-Agent (Mozilla/4.0
> (compatible))";flow:to_server,established; content:"User-Agent|3a|
> Mozilla/4.0 (compatible|29 0d 0a|"; fast_pattern:18,20; http_header;
> content:!"citrixonline.com"; http_header;
> reference:url,doc.emergingthreats.net/bin/view/Main/2008974;
> classtype:Trojan-activity; sid:900000010;rev:1;)
> 
> There are more IP address ranges that are ! out, but I have omitted
> them.  I copied the rule directly from the pulledpork file and just
> added the first IP address to it.  I still have alerts pouring in when
> anything goes to that first IP address.
> 
> Thank you,
> 
> -Clint
> 
> *************************
> Clint J. Conner
> Managed Services Manager
> 
> Plummer Slade, Inc.
> 
> _"Computer Networking & IT Solutions"_
> 428 Forbes Avenue, Suite 2450 [1]
> Pittsburgh, PA 15219 [1]
> Tel: 412.261.5600 x215 [2]
> Fax: 412.261.1528 [3]
> conner at ...4151...
> 
> www.plummerslade.com [4]
> 
> _ _
> 
> _“EXCLUSIVELY ENDORSED FOR IT SOLUTIONS BY THE ALLEGHENY COUNTY BAR
> ASSOCIATION (ACBA).”_
> 
> 
> 
> Links:
> ------
> [1] x-apple-data-detectors://3/0
> [2] tel:412.261.5600;215
> [3] tel:412.261.1528
> [4] http://www.plummerslade.com/
> 
> ------------------------------------------------------------------------------
> Find and fix application performance issues faster with Applications 
> Manager
> Applications Manager provides deep performance insights into multiple 
> tiers of
> your business applications. It resolves application problems quickly 
> and
> reduces your MTTR. Get your free trial!
> https://ad.doubleclick.net/ddm/clk/302982198;130105516;z
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> http://www.snort.org
> 
> 
> Please visit http://blog.snort.org for the latest news about Snort!

Check out detection filters:

http://manual-snort-org.s3-website-us-east-1.amazonaws.com/node34.html#detection_filter

James




More information about the Snort-sigs mailing list