[Snort-users] Commented rule triggering alerts

waldo kitty wkitty42 at ...14940...
Wed Apr 10 20:55:51 EDT 2013


On 4/10/2013 16:20, Y M wrote:
> Which ruleset are you using? icmp-info.rules and icmp.rules have been
> consolidated under a new rules file with the name: protocol-icmp.rules

and yet they are still in the VRT snort rules archive... granted, they may have 
nothing but comments in them but they really should be flushed with zero byte 
files or at least nothing but a comment stating that they are obsolete and 
should be removed from the directory and the snort.conf file...

FWIW: i did a clean install on a new machine the other day and pulled the latest 
rules set for that version of snort (2.9.3.1 - yes, i know it is ""old"") and 
they came in... counting only *.rules files, excluding "local.rules" and 
VRT-License.txt, there are 104 of *.rules files... numerous ones appear to be 
"malformed" with the VRT license text somewhere in the middle of the file and 
others have no such text in them at all...

> --------------------------------------------------------------------------------
> From: Joao Daniel Neves <mailto:joaodanielnevesss at ...125...>
> Sent: ‎4/‎10/‎2013 10:54 PM
> To: snort-users at lists.sourceforge.net <mailto:snort-users at lists.sourceforge.net>
> Subject: [Snort-users] Commented rule triggering alerts
>
> Hi,
>
> I have a lot of ICMP/Ping alerts. So I decided to remove the rule that was
> triggering those alerts. The sid of the rule is 381.
> I did the following:
>
> /cd /etc/snort/rules
>
> grep -wril 'sid:381' ./*
> ./icmp-info.rules
>
> vim icmp-info.rules
> /
> I found the line and then commented it by placing an "#" in the begging of the
> line. I stopped Snort and then stated it again.
>
> And I still get alert for that SID. What can I do to solve it ?






More information about the Snort-users mailing list