[Snort-users] Snort 2.02 still runs 'disabled' rules

scheidell at ...5171... scheidell at ...5171...
Tue Sep 23 10:24:07 EDT 2003


This started to happen with snort 1.9.1 and has been reported by several people in the past.

It keep up with snort 2.00 and 2.01, and is still in snort 2.0.2

If I have a disabled rule (with a # in front of it) it should not run, but does.

Don't know why its the same rule that runs in all of these versions, but it is.

here is the rule, cut/paste from my ../rules/web-misc.rules file:

ls -l web-misc.rules
-rw-r--r--  1 root  wheel  70772 Aug 13 21:10 web-misc.rules

 grep robots.txt *.rules

Why does it still generate alerts?

web-misc.rules:# NOTES: this signature looks for someone accessing the file "robots.txt" via
web-misc.rules:# engines) more efficient.  robots.txt is often used to inform a web spider
web-misc.rules:# Verify that the robots.txt does not include any sensitive information.
web-misc.rules:# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC robots.txt access"; flow:to_server,established; uricontent:"/robots.txt"; nocase; reference:nessus,10302; classtype:web-application-activity; sid:1852; rev:3;)

System is FBSD 4.8, ../configure --enable-flexresp

it MIGHT be a SIGHUP problem since I did a killall -HUP snort to restart it a while back.

MAYBE, with flex-resp enabled, with the disabled rule being the 'n'the rule, with FBSD memory managment, with it being the third tuesday of the month, with a SIGHUP reload of the rules, it sometimes misses the comment.

Since I am not the only one that has reported this, maybe there is a way to track this down.

Could it be a problem with flex-resp code and SIGHUPS?  is it only on FBSD?
for now, I will be doing a killall snort and cold restart to see if that fixes the problem.


--
Michael Scheidell
SECNAP Network Security
561-368-9561 x 1131
www.secnap.com 




More information about the Snort-users mailing list