[Snort-users] Disabled rules still triggering

Willst Mail willstmail at ...11827...
Wed Apr 28 14:19:38 EDT 2010


I have a Snort sensor running 2.8.5.3 and oinkmaster 2.0 on FreeBSD
6.2.  I have some signatures that I disable with oinkmaster, and in
the rules files they show as commented out, but alerts are still being
generated.  Example:

>From oinkmaster.conf:
# Nimda RICHED20.DLL (2010-03-09 wss)
disablesid 1295

>From /usr/local/etc/snort/rules:
# grep "sid:1295;" *
netbios.rules:#alert tcp $EXTERNAL_NET any -> $HOME_NET 139
(msg:"NETBIOS nimda RICHED20.DLL"; flow:to_server,established;
content:"R|00|I|00|C|00|H|00|E|00|D|00|2|00|0|00|.|00|D|00|L|00|L";
nocase; reference:url,www.f-secure.com/v-descs/nimda.shtml;
classtype:bad-unknown; sid:1295; rev:11;)

This seems to be happening with some (not sure about all) signatures.
I've tried both HUP'ing Snort and doing a full stop and start.

Suppressing it in threshold.conf DOES seem to prevent alerts:
$ grep 1295 /usr/local/etc/snort/threshold.conf
suppress gen_id 1, sig_id 1295
$ grep 1295 /var/log/messages
Apr 28 14:11:45 mysnortsensor snort[92239]: | gen-id=1
sig-id=1295       tracking=none

But I'd rather disable than simply suppress, and the fact that the
commented rule is still being loaded is troubling.  We've been running
2.8.5.3 on this sensor for a couple months, this issue seems to have
started in the past few days, and I don't think I'm seeing it on other
sensors.  We are using the paid signature subscription.

Any ideas or how else to troubleshooting this?  Going to 2.8.6 isn't
an option just yet.




More information about the Snort-users mailing list