[Snort-users] Commented rule triggering alerts

Joao Daniel Neves joaodanielnevesss at ...125...
Wed Apr 10 16:36:53 EDT 2013


Joel Esler,
I'm not using pulledpork!

Waldo Kitty, 
I sorry I did not know that. The rule is 1:381. (http://www.snort.org/search/sid/1-381)

Y M,
I dont have protocol-icmp.rules file.  

As the guys can see the rule is commented:
### alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP-INFO PING Oracle Solaris"; dsize:8; itype:8; classtype:misc-activity; sid:381; rev:9;)

What I think is a little stranger according to Snort site this rule is trigged when  "... when an ICMP echo request is made from a Solaris host running SING software."

As the guys can see I dont have any reference to that SING software on the rule. I don't know if it makes sense. 


To: joaodanielnevesss at ...125...; snort-users at lists.sourceforge.net
From: snort at ...15979...
Subject: RE: [Snort-users] Commented rule triggering alerts
Date: Wed, 10 Apr 2013 23:20:26 +0300







Which ruleset are you using? icmp-info.rules and icmp.rules have been consolidated under a new rules file with the name: protocol-icmp.rules



From:
Joao Daniel Neves

Sent:
‎4/‎10/‎2013 10:54 PM

To:
snort-users at lists.sourceforge.net

Subject:
[Snort-users] Commented rule triggering alerts






Hi,



I have a lot of ICMP/Ping alerts. So I decided to remove the rule that was triggering those alerts. The  sid of the rule is 381.

I  did the following:



cd /etc/snort/rules



grep -wril 'sid:381' ./*

./icmp-info.rules



vim icmp-info.rules



I found the line and then commented it by placing an "#" in the begging of the line. I stopped Snort and then stated it again.



And I still get alert for that SID. What can I do to solve it ? 




------------------------------------------------------------------------------
Precog is a next-generation analytics platform capable of advanced
analytics on semi-structured data. The platform includes APIs for building
apps and a phenomenal toolset for data science. Developers can use
our toolset for easy data analysis & visualization. Get a free account!
http://www2.precog.com/precogplatform/slashdotnewsletter
_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news! 		 	   		  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20130410/00e1db50/attachment.html>


More information about the Snort-users mailing list