[Snort-users] Commented rule triggering alerts

Joel Esler jesler at ...1935...
Thu Apr 11 07:07:37 EDT 2013


Do you still have this Tarball?

--
Joel Esler
Sent from my iPad 

On Apr 10, 2013, at 8:55 PM, waldo kitty <wkitty42 at ...14940...> wrote:

> On 4/10/2013 16:20, Y M wrote:
>> Which ruleset are you using? icmp-info.rules and icmp.rules have been
>> consolidated under a new rules file with the name: protocol-icmp.rules
> 
> and yet they are still in the VRT snort rules archive... granted, they may have 
> nothing but comments in them but they really should be flushed with zero byte 
> files or at least nothing but a comment stating that they are obsolete and 
> should be removed from the directory and the snort.conf file...
> 
> FWIW: i did a clean install on a new machine the other day and pulled the latest 
> rules set for that version of snort (2.9.3.1 - yes, i know it is ""old"") and 
> they came in... counting only *.rules files, excluding "local.rules" and 
> VRT-License.txt, there are 104 of *.rules files... numerous ones appear to be 
> "malformed" with the VRT license text somewhere in the middle of the file and 
> others have no such text in them at all...
> 
>> --------------------------------------------------------------------------------
>> From: Joao Daniel Neves <mailto:joaodanielnevesss at ...125...>
>> Sent: ‎4/‎10/‎2013 10:54 PM
>> To: snort-users at lists.sourceforge.net <mailto:snort-users at ...2987...rge.net>
>> Subject: [Snort-users] Commented rule triggering alerts
>> 
>> Hi,
>> 
>> I have a lot of ICMP/Ping alerts. So I decided to remove the rule that was
>> triggering those alerts. The sid of the rule is 381.
>> I did the following:
>> 
>> /cd /etc/snort/rules
>> 
>> grep -wril 'sid:381' ./*
>> ./icmp-info.rules
>> 
>> vim icmp-info.rules
>> /
>> I found the line and then commented it by placing an "#" in the begging of the
>> line. I stopped Snort and then stated it again.
>> 
>> And I still get alert for that SID. What can I do to solve it ?
> 
> 
> 
> ------------------------------------------------------------------------------
> Precog is a next-generation analytics platform capable of advanced
> analytics on semi-structured data. The platform includes APIs for building
> apps and a phenomenal toolset for data science. Developers can use
> our toolset for easy data analysis & visualization. Get a free account!
> http://www2.precog.com/precogplatform/slashdotnewsletter
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> 
> Please visit http://blog.snort.org to stay current on all the latest Snort news!




More information about the Snort-users mailing list