[Snort-users] PulledPork and modifying So_rule stubs

Michael Lubinski michael.lubinski at ...11827...
Thu Jun 23 13:33:53 EDT 2011


++1
On Jun 23, 2011 10:17 AM, "JJC" <cummingsj at ...11827...> wrote:
> I think that this would be a valid use-case to allow gid:3 rules to be
> modified, consider it a feature request that we will work into the tool.
>
> JJC
>
> On Wed, Jun 22, 2011 at 11:51 PM, Dheeraj Gupta <dheeraj.gupta4 at ...11827...
>wrote:
>
>> Hi,
>> I have been using pulledpork for Snort rule management and it is very
good.
>> Recently I noticed that snort rule 3-10481 (Squid NTLM Exploit Rule) is
>> defined only for port 3128.
>> But, here we have proxies running on many different ports, so I decided
to
>> change the rule from $external_net 3128 to $external_net
[3128,xxxx,yyyy].
>> However, the modifysid.conf file explicitly stated that any changes will
>> only occur to gid:1 files and not gid:3 stubs(Since they are
inconsequential
>> or such stuff). I tried making an entry in modifysid.conf for said rule,
but
>> it didn't fire. So, I manually changed the rule line and restarted snort.
>> Earlier the Squid NTLM exploit when fired from Metasploit on port xxxx
was
>> not detected. But now, since I had modified the so_rule stub to include
xxxx
>> in the port part, it was detected.
>> So, my question is why doesn't pulledpork modify stubs of rules with
gid:3
>> (atleast parts such as home_net external_net, source,dest ports etc) when
>> clearly such changes reflect in snort's behaviour
>>
>> Regards,
>> Dheeraj
>>
>> --
>> To iterate is human.To recurse, divine!
>>
>>
>>
------------------------------------------------------------------------------
>> Simplify data backup and recovery for your virtual environment with
>> vRanger.
>> Installation's a snap, and flexible recovery options mean your data is
>> safe,
>> secure and there when you need it. Data protection magic?
>> Nope - It's vRanger. Get your free trial download today.
>> http://p.sf.net/sfu/quest-sfdev2dev
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>
>> Please see http://www.snort.org/docs for documentation
>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20110623/2bee0455/attachment.html>


More information about the Snort-users mailing list