[Snort-users] Disabled rules still triggering
willstmail at ...11827...
Wed Apr 28 14:19:38 EDT 2010
I have a Snort sensor running 184.108.40.206 and oinkmaster 2.0 on FreeBSD
6.2. I have some signatures that I disable with oinkmaster, and in
the rules files they show as commented out, but alerts are still being
# Nimda RICHED20.DLL (2010-03-09 wss)
# grep "sid:1295;" *
netbios.rules:#alert tcp $EXTERNAL_NET any -> $HOME_NET 139
(msg:"NETBIOS nimda RICHED20.DLL"; flow:to_server,established;
classtype:bad-unknown; sid:1295; rev:11;)
This seems to be happening with some (not sure about all) signatures.
I've tried both HUP'ing Snort and doing a full stop and start.
Suppressing it in threshold.conf DOES seem to prevent alerts:
$ grep 1295 /usr/local/etc/snort/threshold.conf
suppress gen_id 1, sig_id 1295
$ grep 1295 /var/log/messages
Apr 28 14:11:45 mysnortsensor snort: | gen-id=1
But I'd rather disable than simply suppress, and the fact that the
commented rule is still being loaded is troubling. We've been running
220.127.116.11 on this sensor for a couple months, this issue seems to have
started in the past few days, and I don't think I'm seeing it on other
sensors. We are using the paid signature subscription.
Any ideas or how else to troubleshooting this? Going to 2.8.6 isn't
an option just yet.
More information about the Snort-users