[Snort-users] Commented rule triggering alerts

waldo kitty wkitty42 at ...14940...
Wed Apr 10 21:11:17 EDT 2013

On 4/10/2013 16:36, Joao Daniel Neves wrote:
> Joel Esler,
> I'm not using pulledpork!

it would only be in effect if you updated or ran it to update the rules you want 
active or not...

> Waldo Kitty,
> I sorry I did not know that. The rule is 1:381.
> (http://www.snort.org/search/sid/1-381)

ok... that's what i thought... this is from your ALERT or is this just where you 
found (the first occurence of) it??

> Y M,
> I dont have protocol-icmp.rules file.

what version of snort are you running? snort -V (case is important!)

how do you update your rules? when was the last time you updated them? i guess 
we can assume that you haven't updated your snort.conf for the new rules files 
that you are apparently not aware of ;)

> As the guys can see the rule is commented:
> ### alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP-INFO PING Oracle
> Solaris"; dsize:8; itype:8; classtype:misc-activity; sid:381; rev:9;)
> What I think is a little stranger according to Snort site this rule is trigged
> when "... when an ICMP echo request is made from a Solaris host running SING
> software."
> As the guys can see I dont have any reference to that SING software on the rule.
> I don't know if it makes sense.

remember, snort doesn't know and cannot tell what software actually issued that 
ICMP packet... 1:381 is apparently one of the (very) old community rules from 
way way back... the msg: in that rule was put in place by a human...

run your grep again... maybe like this instead ;)

grep -i -E "sid:\W*381;" /path/to/your/*rules*/*.rules

that should walk the directories in your /path/to/your/rules files... even if 
they are /path/to/your/so_rules or /path/to/your/rules or 
/path/to/your/preproc_rules etc... etc...

the \W* is in there because some rules may still have the space in them that is 
allowed for...

eg: sid: 123

these should have been adjusted a long while back so there was no space but 
there may still be some floating around in the various rules sets :)

> --------------------------------------------------------------------------------
> To: joaodanielnevesss at ...125...; snort-users at lists.sourceforge.net
> From: snort at ...15979...
> Subject: RE: [Snort-users] Commented rule triggering alerts
> Date: Wed, 10 Apr 2013 23:20:26 +0300
> Which ruleset are you using? icmp-info.rules and icmp.rules have been
> consolidated under a new rules file with the name: protocol-icmp.rules
> --------------------------------------------------------------------------------
> From: Joao Daniel Neves <mailto:joaodanielnevesss at ...125...>
> Sent: ‎4/‎10/‎2013 10:54 PM
> To: snort-users at lists.sourceforge.net <mailto:snort-users at lists.sourceforge.net>
> Subject: [Snort-users] Commented rule triggering alerts
> Hi,
> I have a lot of ICMP/Ping alerts. So I decided to remove the rule that was
> triggering those alerts. The sid of the rule is 381.
> I did the following:
> /cd /etc/snort/rules
> grep -wril 'sid:381' ./*
> ./icmp-info.rules
> vim icmp-info.rules
> /
> I found the line and then commented it by placing an "#" in the begging of the
> line. I stopped Snort and then stated it again.
> And I still get alert for that SID. What can I do to solve it ?

More information about the Snort-users mailing list