[Snort-sigs] Local.Rules rule misfiring

Clint Conner conner at ...4151...
Fri Apr 29 12:04:54 EDT 2016


Greetings Anthony,

Thank you, I created a suppression rule and this resolved my issue!

Thank you,

-Clint

*************************
Clint J. Conner
Managed Services Manager
Plummer Slade, Inc.
"Computer Networking & IT Solutions"
Tel: 412.261.5600 x215<tel:412.261.5600;215>
conner at ...4151...<mailto:conner at ...4151...>

"Exclusively endorsed for IT solutions by the Allegheny County Bar Association (ACBA)."


From: Rodgers, Anthony (DTMB) [mailto:RodgersA1 at ...3985...]
Sent: Friday, April 29, 2016 8:21 AM
To: Clint Conner <conner at ...4151...>; snort-sigs at lists.sourceforge.net
Subject: RE: Local.Rules rule misfiring

As I read your rule, it will match on $EXTERNAL_NET - IP address matching is not first-match, AFAIK.

If you want to exclude (a) specific address(es) from causing a rule to fire, you should look at event suppression or detection_filter, not negation.

--
Anthony Rodgers
Security Analyst
Michigan Security Operations Center (MiSOC)
DTMB, Michigan Cyber Security

From: Clint Conner [mailto:conner at ...4151...]
Sent: Tuesday, April 26, 2016 10:06
To: snort-sigs at lists.sourceforge.net<mailto:snort-sigs at ...3414...t>
Subject: [Snort-sigs] Local.Rules rule misfiring

Greetings,

I have the following rule added to my local.rules file.  The rule it replaces is disabled in disabledsids.conf.  The rule is firing incorrectly, though.  It alerts on the first IP address, which is 188.172.212.76.  If I understand he rule correctly, it should not be alerting on this IP address.

alert tcp $HOME_NET any -> [!188.172.212.76,!208.87.232.0/21,$EXTERNAL_NET] $HTTP_PORTS (msg:"ET MALWARE User-Agent (Mozilla/4.0 (compatible))";flow:to_server,established; content:"User-Agent|3a| Mozilla/4.0 (compatible|29 0d 0a|"; fast_pattern:18,20; http_header; content:!"citrixonline.com"; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2008974; classtype:Trojan-activity; sid:900000010;rev:1;)

There are more IP address ranges that are ! out, but I have omitted them.  I copied the rule directly from the pulledpork file and just added the first IP address to it.  I still have alerts pouring in when anything goes to that first IP address.

Thank you,

-Clint

*************************
Clint J. Conner
Managed Services Manager
Plummer Slade, Inc.
"Computer Networking & IT Solutions"
428 Forbes Avenue, Suite 2450<x-apple-data-detectors://3/0>
Pittsburgh, PA 15219<x-apple-data-detectors://3/0>
Tel: 412.261.5600 x215<tel:412.261.5600;215>
Fax: 412.261.1528<tel:412.261.1528>
conner at ...4151...<mailto:conner at ...4151...>
www.plummerslade.com<http://www.plummerslade.com/>

"Exclusively endorsed for IT solutions by the Allegheny County Bar Association (ACBA)."

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20160429/8c62985b/attachment.html>


More information about the Snort-sigs mailing list