[Snort-users] Commented rule triggering alerts

waldo kitty wkitty42 at ...14940...
Thu Apr 11 09:58:36 EDT 2013


On 4/11/2013 07:07, Joel Esler wrote:
> Do you still have this Tarball?

replied offlist...

> --
> Joel Esler
> Sent from my iPad
>
> On Apr 10, 2013, at 8:55 PM, waldo kitty<wkitty42 at ...14940...>  wrote:
>
>> On 4/10/2013 16:20, Y M wrote:
>>> Which ruleset are you using? icmp-info.rules and icmp.rules have been
>>> consolidated under a new rules file with the name: protocol-icmp.rules
>>
>> and yet they are still in the VRT snort rules archive... granted, they may have
>> nothing but comments in them but they really should be flushed with zero byte
>> files or at least nothing but a comment stating that they are obsolete and
>> should be removed from the directory and the snort.conf file...
>>
>> FWIW: i did a clean install on a new machine the other day and pulled the latest
>> rules set for that version of snort (2.9.3.1 - yes, i know it is ""old"") and
>> they came in... counting only *.rules files, excluding "local.rules" and
>> VRT-License.txt, there are 104 of *.rules files... numerous ones appear to be
>> "malformed" with the VRT license text somewhere in the middle of the file and
>> others have no such text in them at all...
>>
>>> --------------------------------------------------------------------------------
>>> From: Joao Daniel Neves<mailto:joaodanielnevesss at ...125...>
>>> Sent: ‎4/‎10/‎2013 10:54 PM
>>> To: snort-users at lists.sourceforge.net<mailto:snort-users at lists.sourceforge.net>
>>> Subject: [Snort-users] Commented rule triggering alerts
>>>
>>> Hi,
>>>
>>> I have a lot of ICMP/Ping alerts. So I decided to remove the rule that was
>>> triggering those alerts. The sid of the rule is 381.
>>> I did the following:
>>>
>>> /cd /etc/snort/rules
>>>
>>> grep -wril 'sid:381' ./*
>>> ./icmp-info.rules
>>>
>>> vim icmp-info.rules
>>> /
>>> I found the line and then commented it by placing an "#" in the begging of the
>>> line. I stopped Snort and then stated it again.
>>>
>>> And I still get alert for that SID. What can I do to solve it ?






More information about the Snort-users mailing list