[Snort-users] Disabled rules still triggering

Chan, Wilson wchan at ...14702...
Wed Apr 28 14:51:27 EDT 2010

Just curious did you run oinkmaster? If its via a cron then try running
it manually as you can read the output to see if it disabled the sid.
Then restart snort so it takes the new rules.


-----Original Message-----
From: Willst Mail [mailto:willstmail at ...11827...] 
Sent: Wednesday, April 28, 2010 8:20 AM
To: snort-users at lists.sourceforge.net
Subject: [Snort-users] Disabled rules still triggering

I have a Snort sensor running and oinkmaster 2.0 on FreeBSD
6.2.  I have some signatures that I disable with oinkmaster, and in
the rules files they show as commented out, but alerts are still being
generated.  Example:

>From oinkmaster.conf:
# Nimda RICHED20.DLL (2010-03-09 wss)
disablesid 1295

>From /usr/local/etc/snort/rules:
# grep "sid:1295;" *
netbios.rules:#alert tcp $EXTERNAL_NET any -> $HOME_NET 139
(msg:"NETBIOS nimda RICHED20.DLL"; flow:to_server,established;
nocase; reference:url,www.f-secure.com/v-descs/nimda.shtml;
classtype:bad-unknown; sid:1295; rev:11;)

This seems to be happening with some (not sure about all) signatures.
I've tried both HUP'ing Snort and doing a full stop and start.

Suppressing it in threshold.conf DOES seem to prevent alerts:
$ grep 1295 /usr/local/etc/snort/threshold.conf
suppress gen_id 1, sig_id 1295
$ grep 1295 /var/log/messages
Apr 28 14:11:45 mysnortsensor snort[92239]: | gen-id=1
sig-id=1295       tracking=none

But I'd rather disable than simply suppress, and the fact that the
commented rule is still being loaded is troubling.  We've been running on this sensor for a couple months, this issue seems to have
started in the past few days, and I don't think I'm seeing it on other
sensors.  We are using the paid signature subscription.

Any ideas or how else to troubleshooting this?  Going to 2.8.6 isn't
an option just yet.

Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
Snort-users list archive:

More information about the Snort-users mailing list