[Snort-users] Snort 2.02 still runs 'disabled' rules

John Sage jsage at ...2022...
Wed Sep 24 08:43:06 EDT 2003


Michael, et al:

On Tue, Sep 23, 2003 at 01:23:08PM -0400, scheidell at ...5171... wrote:
> This started to happen with snort 1.9.1 and has been reported by
> several people in the past.
> 
> It keep up with snort 2.00 and 2.01, and is still in snort 2.0.2
> 
> If I have a disabled rule (with a # in front of it) it should not
> run, but does.
> 
> Don't know why its the same rule that runs in all of these versions,
> but it is. 
> 
> here is the rule, cut/paste from my ../rules/web-misc.rules file:
/* snip */
> web-misc.rules:# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS
> $HTTP_PORTS (msg:"WEB-MISC robots.txt access";
> flow:to_server,established; uricontent:"/robots.txt"; nocase;
> reference:nessus,10302; classtype:web-application-activity; sid:1852;
> rev:3;)
> 
> System is FBSD 4.8, ../configure --enable-flexresp
> 
> it MIGHT be a SIGHUP problem since I did a killall -HUP snort to
> restart it a while back.
> 
> MAYBE, with flex-resp enabled, with the disabled rule being the
> 'n' the rule, with FBSD memory managment, with it being the third
> tuesday of the month, with a SIGHUP reload of the rules, it sometimes
> misses the comment.
> 
> Since I am not the only one that has reported this, maybe there is a
> way to track this down.
> 
> Could it be a problem with flex-resp code and SIGHUPS?  is it only on FBSD?
> for now, I will be doing a killall snort and cold restart to see if
> that fixes the problem.

I have successfully used commenting to disable rules on 1.9.1 and now
2.0.2, viz:

tcp202-local.rules:# alert tcp $EXTERNAL_NET any -> $HOME_NET 135 \
 (msg:"TCP inbound to 135 dcom, MS03-039 vuln, unknown";)
tcp202-local.rules:# alert tcp $EXTERNAL_NET any -> $HOME_NET 4444 \
 (msg:"TCP inbound to 4444 msblast, unknown";)

snort_specs:

[jsage at ...3561... /etc/snort]$ uname -a
Linux greatwall 2.4.18-5 #1 Mon Jun 10 15:14:29 EDT 2002 i586 unknown

./configure --with-mysql /usr/lib/mysql

[jsage at ...3561... /etc/snort]$ snort -V
-*> Snort! <*-
Version 2.0.2 (Build 92)
By Martin Roesch (roesch at ...1935..., www.snort.org)

[jsage at ...3561... /etc/snort]$ gcc -v
Reading specs from /usr/lib/gcc-lib/i386-redhat-linux/2.96/specs
gcc version 2.96 20000731 (Red Hat Linux 7.3 2.96-110)


This was an effective resolution to my earlier question:

Subject: [Snort-users] Rules: flags burp using 2.0.2?



- John
-- 
"Warning: time of day goes back, taking countermeasures."
John Sage
InfoSec Groupie
-
ABCD, EFGH, IJKL, EmEnOh, Pplus+, Mminus-
-
ATTENTION: this message is privileged communication. If you read it
even though you aren't supposed to, you're a poopy-head.




More information about the Snort-users mailing list