[Snort-users] Commented rule triggering alerts

Lay, James james.lay at ...15009...
Wed Apr 10 17:39:55 EDT 2013


Not in this case...for giggles comment out the icmp-info.rules from your
snort.conf, then stop and start snort.  Make sure you do a "ps -aux |
grep snort" after you stop to verify it has indeed stopped ;)

 

James

 

From: Joao Daniel Neves [mailto:joaodanielnevesss at ...125...] 
Sent: Wednesday, April 10, 2013 3:02 PM
To: Lay, James; snort-users at lists.sourceforge.net
Subject: RE: [Snort-users] Commented rule triggering alerts

 

James,


[root at ...2306... rules]# grep -i ping * | grep -i icmp | grep 381
icmp-info.rules:### alert icmp $EXTERNAL_NET any -> $HOME_NET any
(msg:"ICMP-INFO PING Oracle Solaris"; dsize:8; itype:8;
classtype:misc-activity; sid:381; rev:9;)
[root at ...2306... rules]# 

Do the guys think that pulledpork can help me solve this problem ?

________________________________

Date: Wed, 10 Apr 2013 14:44:59 -0600
From: james.lay at ...15009...
To: snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] Commented rule triggering alerts

Also in community rules:

 

grep -i ping * | grep -i icmp | grep 381

community.rules:# alert icmp $EXTERNAL_NET any -> $HOME_NET any
(msg:"PROTOCOL-ICMP PING Oracle Solaris"; dsize:8; itype:8;
metadata:ruleset community; classtype:misc-activity; sid:381; rev:11;)

 

VRT-protocol-icmp.rules:# alert icmp $EXTERNAL_NET any -> $HOME_NET any
(msg:"PROTOCOL-ICMP PING Oracle Solaris"; dsize:8; itype:8;
metadata:ruleset community; classtype:misc-activity; sid:381; rev:11;)

 

James

From: Joao Daniel Neves [mailto:joaodanielnevesss at ...125...] 
Sent: Wednesday, April 10, 2013 1:54 PM
To: snort-users at lists.sourceforge.net
Subject: [Snort-users] Commented rule triggering alerts

 

Hi,

I have a lot of ICMP/Ping alerts. So I decided to remove the rule that
was triggering those alerts. The  sid of the rule is 381.
I  did the following:

cd /etc/snort/rules

grep -wril 'sid:381' ./*
./icmp-info.rules

vim icmp-info.rules

I found the line and then commented it by placing an "#" in the begging
of the line. I stopped Snort and then stated it again.

And I still get alert for that SID. What can I do to solve it ? 


------------------------------------------------------------------------
------ Precog is a next-generation analytics platform capable of
advanced analytics on semi-structured data. The platform includes APIs
for building apps and a phenomenal toolset for data science. Developers
can use our toolset for easy data analysis & visualization. Get a free
account! http://www2.precog.com/precogplatform/slashdotnewsletter
_______________________________________________ Snort-users mailing list
Snort-users at lists.sourceforge.net Go to this URL to change user options
or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
Please visit http://blog.snort.org to stay current on all the latest
Snort news!

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20130410/370f47f5/attachment.html>


More information about the Snort-users mailing list