[Snort-users] Commented rule triggering alerts

Joao Daniel Neves joaodanielnevesss at ...125...
Thu Apr 11 09:24:39 EDT 2013


Joel,

Yes I still have the tar ball.

Waldo,

I did not understood it very well:

ok... that's what i thought... this is from your ALERT or is this just where you 
found (the first occurence of) it??

My Snort version is 2.9.3.1

I  never  updated 'my rules'. This is Snort is not 'mine'. I mean I did not deployed it. My job is/was to check if it was correctely deployed. Altought It seems that there are a lot of mistakes. I'm also working on way to update rules. (Maybe with pulledpork).

"grep -i -E "sid:\W*381;" /path/to/your/*rules*/*.rules"

Returned a lot of lines.

More stranger, Today I checked for new alerts and I did not saw any alerts from 1:381. Now it seems that the rule is disabled since I aways got about 300 alerts every day for that rule. (And now I did not saw anything )


> From: jesler at ...1935...
> Date: Thu, 11 Apr 2013 07:07:37 -0400
> To: wkitty42 at ...14940...
> CC: snort-users at lists.sourceforge.net
> Subject: Re: [Snort-users] Commented rule triggering alerts
> 
> Do you still have this Tarball?
> 
> --
> Joel Esler
> Sent from my iPad 
> 
> On Apr 10, 2013, at 8:55 PM, waldo kitty <wkitty42 at ...14940...> wrote:
> 
> > On 4/10/2013 16:20, Y M wrote:
> >> Which ruleset are you using? icmp-info.rules and icmp.rules have been
> >> consolidated under a new rules file with the name: protocol-icmp.rules
> > 
> > and yet they are still in the VRT snort rules archive... granted, they may have 
> > nothing but comments in them but they really should be flushed with zero byte 
> > files or at least nothing but a comment stating that they are obsolete and 
> > should be removed from the directory and the snort.conf file...
> > 
> > FWIW: i did a clean install on a new machine the other day and pulled the latest 
> > rules set for that version of snort (2.9.3.1 - yes, i know it is ""old"") and 
> > they came in... counting only *.rules files, excluding "local.rules" and 
> > VRT-License.txt, there are 104 of *.rules files... numerous ones appear to be 
> > "malformed" with the VRT license text somewhere in the middle of the file and 
> > others have no such text in them at all...
> > 
> >> --------------------------------------------------------------------------------
> >> From: Joao Daniel Neves <mailto:joaodanielnevesss at ...125...>
> >> Sent: ‎4/‎10/‎2013 10:54 PM
> >> To: snort-users at lists.sourceforge.net <mailto:snort-users at lists.sourceforge.net>
> >> Subject: [Snort-users] Commented rule triggering alerts
> >> 
> >> Hi,
> >> 
> >> I have a lot of ICMP/Ping alerts. So I decided to remove the rule that was
> >> triggering those alerts. The sid of the rule is 381.
> >> I did the following:
> >> 
> >> /cd /etc/snort/rules
> >> 
> >> grep -wril 'sid:381' ./*
> >> ./icmp-info.rules
> >> 
> >> vim icmp-info.rules
> >> /
> >> I found the line and then commented it by placing an "#" in the begging of the
> >> line. I stopped Snort and then stated it again.
> >> 
> >> And I still get alert for that SID. What can I do to solve it ?
> > 
> > 
> > 
> > ------------------------------------------------------------------------------
> > Precog is a next-generation analytics platform capable of advanced
> > analytics on semi-structured data. The platform includes APIs for building
> > apps and a phenomenal toolset for data science. Developers can use
> > our toolset for easy data analysis & visualization. Get a free account!
> > http://www2.precog.com/precogplatform/slashdotnewsletter
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> > 
> > Please visit http://blog.snort.org to stay current on all the latest Snort news!
> 
> ------------------------------------------------------------------------------
> Precog is a next-generation analytics platform capable of advanced
> analytics on semi-structured data. The platform includes APIs for building
> apps and a phenomenal toolset for data science. Developers can use
> our toolset for easy data analysis & visualization. Get a free account!
> http://www2.precog.com/precogplatform/slashdotnewsletter
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> 
> Please visit http://blog.snort.org to stay current on all the latest Snort news!
 		 	   		  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20130411/061a3a01/attachment.html>


More information about the Snort-users mailing list