[Snort-users] PulledPork and modifying So_rule stubs

JJC cummingsj at ...11827...
Thu Jun 23 11:12:51 EDT 2011

I think that this would be a valid use-case to allow gid:3 rules to be
modified, consider it a feature request that we will work into the tool.


On Wed, Jun 22, 2011 at 11:51 PM, Dheeraj Gupta <dheeraj.gupta4 at ...11827...>wrote:

> Hi,
> I have been using pulledpork for Snort rule management and it is very good.
> Recently I noticed that snort rule 3-10481 (Squid NTLM Exploit Rule) is
> defined only for port 3128.
> But, here we have proxies running on many different ports, so I decided to
> change the rule from $external_net 3128 to $external_net [3128,xxxx,yyyy].
> However, the modifysid.conf file explicitly stated that any changes will
> only occur to gid:1 files and not gid:3 stubs(Since they are inconsequential
> or such stuff). I tried making an entry in modifysid.conf for said rule, but
> it didn't fire. So, I manually changed the rule line and restarted snort.
> Earlier the Squid NTLM exploit when fired from Metasploit on port xxxx was
> not detected. But now, since I had modified the so_rule stub to include xxxx
> in the port part, it was detected.
> So, my question is why doesn't pulledpork modify stubs of rules with gid:3
> (atleast parts such as home_net external_net, source,dest ports etc) when
> clearly such changes reflect in snort's behaviour
> Regards,
> Dheeraj
> --
> To iterate is human.To recurse, divine!
> ------------------------------------------------------------------------------
> Simplify data backup and recovery for your virtual environment with
> vRanger.
> Installation's a snap, and flexible recovery options mean your data is
> safe,
> secure and there when you need it. Data protection magic?
> Nope - It's vRanger. Get your free trial download today.
> http://p.sf.net/sfu/quest-sfdev2dev
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> Please see http://www.snort.org/docs for documentation
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20110623/a980f3ce/attachment.html>

More information about the Snort-users mailing list