[Snort-users] PulledPork and modifying So_rule stubs

Dheeraj Gupta dheeraj.gupta4 at ...11827...
Thu Jun 23 01:51:14 EDT 2011

I have been using pulledpork for Snort rule management and it is very good.
Recently I noticed that snort rule 3-10481 (Squid NTLM Exploit Rule) is
defined only for port 3128.
But, here we have proxies running on many different ports, so I decided to
change the rule from $external_net 3128 to $external_net [3128,xxxx,yyyy].
However, the modifysid.conf file explicitly stated that any changes will
only occur to gid:1 files and not gid:3 stubs(Since they are inconsequential
or such stuff). I tried making an entry in modifysid.conf for said rule, but
it didn't fire. So, I manually changed the rule line and restarted snort.
Earlier the Squid NTLM exploit when fired from Metasploit on port xxxx was
not detected. But now, since I had modified the so_rule stub to include xxxx
in the port part, it was detected.
So, my question is why doesn't pulledpork modify stubs of rules with gid:3
(atleast parts such as home_net external_net, source,dest ports etc) when
clearly such changes reflect in snort's behaviour


To iterate is human.To recurse, divine!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20110623/e458caf5/attachment.html>

More information about the Snort-users mailing list