[Snort-users] Disabled rules still triggering

Chan, Wilson wchan at ...14702...
Wed Apr 28 14:51:27 EDT 2010


Just curious did you run oinkmaster? If its via a cron then try running
it manually as you can read the output to see if it disabled the sid.
Then restart snort so it takes the new rules.

Wilson

-----Original Message-----
From: Willst Mail [mailto:willstmail at ...11827...] 
Sent: Wednesday, April 28, 2010 8:20 AM
To: snort-users at lists.sourceforge.net
Subject: [Snort-users] Disabled rules still triggering

I have a Snort sensor running 2.8.5.3 and oinkmaster 2.0 on FreeBSD
6.2.  I have some signatures that I disable with oinkmaster, and in
the rules files they show as commented out, but alerts are still being
generated.  Example:

>From oinkmaster.conf:
# Nimda RICHED20.DLL (2010-03-09 wss)
disablesid 1295

>From /usr/local/etc/snort/rules:
# grep "sid:1295;" *
netbios.rules:#alert tcp $EXTERNAL_NET any -> $HOME_NET 139
(msg:"NETBIOS nimda RICHED20.DLL"; flow:to_server,established;
content:"R|00|I|00|C|00|H|00|E|00|D|00|2|00|0|00|.|00|D|00|L|00|L";
nocase; reference:url,www.f-secure.com/v-descs/nimda.shtml;
classtype:bad-unknown; sid:1295; rev:11;)

This seems to be happening with some (not sure about all) signatures.
I've tried both HUP'ing Snort and doing a full stop and start.

Suppressing it in threshold.conf DOES seem to prevent alerts:
$ grep 1295 /usr/local/etc/snort/threshold.conf
suppress gen_id 1, sig_id 1295
$ grep 1295 /var/log/messages
Apr 28 14:11:45 mysnortsensor snort[92239]: | gen-id=1
sig-id=1295       tracking=none

But I'd rather disable than simply suppress, and the fact that the
commented rule is still being loaded is troubling.  We've been running
2.8.5.3 on this sensor for a couple months, this issue seems to have
started in the past few days, and I don't think I'm seeing it on other
sensors.  We are using the paid signature subscription.

Any ideas or how else to troubleshooting this?  Going to 2.8.6 isn't
an option just yet.

------------------------------------------------------------------------
------
_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users





More information about the Snort-users mailing list