[Snort-users] Pulledpork doesn't disable some rules

C. L. Martinez carlopmart at ...11827...
Mon Apr 14 09:40:51 EDT 2014


On Mon, Apr 14, 2014 at 1:28 PM, Y M <snort at ...15979...> wrote:
>> Ok, I have applied the following solution posted in
>> https://code.google.com/p/pulledpork/issues/detail?id=82, using
>> modifysid option without luck.
>
> This depends on how you are modifying  the rule in the modifysid.conf file,
> and if there are other rules that check if this particular flowbit is set.
> For example:
>
> Rule A --> sets --> flowbit 1
> Rule B --> checks (isset/isnotset) --> flowbit 1
>
> In this case, if you disable Rule A, PulledPork will re-enable it since
> another rule (Rule B) is checking the same flowbit (flowbit 1).
>
> The order in which PulledPork will process the rules (modifysid.conf first)
> is already committed to PulledPork v0.7. Which means that if modify (pcre or
> so as documented) your rule in the modifysid.conf file by removing the
> flowbits setting, it will be processed first, hence, the dependency should
> be removed already before moving along.
>

Thanks, YM. Uhmm, I see but then I have a problem. In the
EmergingThreats package rules exists the following rules with the same
flowbit:

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY
Vulnerable Java Version 1.4.x Detected"; flow:established,to_server;
content:"Java/1.4."; http_user_agent;
flowbits:set,ET.http.javaclient.vulnerable;  threshold: type limit,
count 2, seconds 300, track by_src;
reference:url,javatester.org/version.html; classtype:bad-unknown;
sid:2011584; rev:11;)

#
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY
Vulnerable Java Version 1.5.x Detected"; flow:established,to_server;
content:" Java/1.5."; nocase; http_header;
flowbits:set,ET.http.javaclient.vulnerable; threshold: type limit,
count 2, seconds 300, track by_src;
reference:url,javatester.org/version.html; classtype:bad-unknown;
sid:2011581; rev:9;)

#
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY
Vulnerable Java Version 1.6.x Detected"; flow:established,to_server;
content:"Java/1.6.0_"; http_user_agent; content:!"71"; within:2;
http_user_agent; flowbits:set,ET.http.javaclient.vulnerable;
threshold: type limit, count 2, seconds 300, track by_src;
reference:url,javatester.org/version.html; classtype:bad-unknown;
sid:2011582; rev:33;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY
Vulnerable Java Version 1.7.x Detected"; flow:established,to_server;
content:"Java/1.7.0_"; http_user_agent; content:!"51"; within:2;
http_user_agent; flowbits:set,ET.http.javaclient.vulnerable;
threshold: type limit, count 2, seconds 300, track by_src;
reference:url,javatester.org/version.html; classtype:bad-unknown;
sid:2014297; rev:25;)

I only want to remove rule 2011582, not the others. If I am
understanding ok, If I put the following in my modifysid.conf:

2011582 "flowbits:set,ET.http.javaclient.vulnerable;" ""

I disable all these rules ... is it ok??

And these rule dependencies, too:

root at ...16105...:/tmp/j/rules # grep ET.http.javaclient.vulnerable * | grep isset
emerging-current_events.rules:alert http $EXTERNAL_NET any ->
$HOME_NET any (msg:"ET CURRENT_EVENTS Phoenix Java MIDI Exploit
Received By Vulnerable Client"; flow:established,to_client;
flowbits:isset,ET.http.javaclient.vulnerable;
content:"META-INF/services/javax.sound.midi.spi.MidiDeviceProvider";
classtype:bad-unknown; sid:2013484; rev:3;)
emerging-current_events.rules:alert http $EXTERNAL_NET any ->
$HOME_NET any (msg:"ET CURRENT_EVENTS - Modified Metasploit Jar";
flow:from_server,established;
flowbits:isset,ET.http.javaclient.vulnerable;
content:"msf|2f|x|2f|Payload"; classtype:trojan-activity; sid:2014560;
rev:6;)
emerging-current_events.rules:alert http $HOME_NET any ->
$EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Incognito/RedKit Exploit Kit
vulnerable Java payload request to /1digit.html";
flowbits:isset,ET.http.javaclient.vulnerable;
flow:established,to_server; urilen:7; content:".html"; http_uri;
content:" Java/1"; http_header; pcre:"/\/[0-9]\.html$/U";
flowbits:set,et.exploitkitlanding; classtype:trojan-activity;
sid:2014750; rev:2;)
emerging-current_events.rules:alert http $HOME_NET any ->
$EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Unknown java_ara Bin
Download"; flow:established,to_server; content:"java_ara&name=";
http_uri; content:"/forum/"; http_uri; content:".php?"; http_uri;
flowbits:isset,ET.http.javaclient.vulnerable;
classtype:trojan-activity; sid:2014805; rev:2;)
emerging-current_events.rules:alert http $EXTERNAL_NET any ->
$HOME_NET any (msg:"ET CURRENT_EVENTS Blackhole obfuscated Java EXE
Download by Vulnerable Version - Likely Driveby";
flowbits:isset,ET.http.javaclient.vulnerable;
flow:established,to_client; content:"|0d 0a 9c 62 d8 66 66 66 66 54|";
classtype:trojan-activity; sid:2014909; rev:2;)
emerging-current_events.rules:alert http $EXTERNAL_NET any ->
$HOME_NET any (msg:"ET CURRENT_EVENTS Scalaxy Jar file";
flow:to_client,established; content:"|0d 0a 0d 0a|PK";
content:"C1.class"; fast_pattern; distance:0; content:"C2.class";
distance:0; flowbits:isset,ET.http.javaclient.vulnerable;
classtype:trojan-activity; sid:2014983; rev:2;)
emerging-current_events.rules:alert http $EXTERNAL_NET any ->
$HOME_NET any (msg:"ET CURRENT_EVENTS SofosFO Jar file 10/17/12";
flow:to_client,established; file_data; content:"PK"; within:2;
content:"SecretKey.class"; fast_pattern; distance:0;
content:"Mac.class"; distance:0;
flowbits:isset,ET.http.javaclient.vulnerable;
classtype:trojan-activity; sid:2015812; rev:3;)
emerging-current_events.rules:alert tcp $EXTERNAL_NET $HTTP_PORTS ->
$HOME_NET any (msg:"ET CURRENT_EVENTS Metasploit CVE-2012-1723 Path
(Seen in Unknown EK) 10/29/12"; flow:to_client,established; file_data;
content:"PK"; within:2; content:"cve1723/";
flowbits:isset,ET.http.javaclient.vulnerable;
classtype:trojan-activity; sid:2015849; rev:3;)
emerging-current_events.rules:alert http $EXTERNAL_NET any ->
$HOME_NET any (msg:"ET CURRENT_EVENTS SofosFO Jar file 09 Nov 12";
flow:to_client,established; file_data; content:"PK"; within:2;
content:"SecretKey.class"; fast_pattern:only; content:"Anony";
pcre:"/^(mous)?\.class/R";
flowbits:isset,ET.http.javaclient.vulnerable;
classtype:trojan-activity; sid:2015876; rev:3;)
emerging-current_events.rules:alert http $HOME_NET any ->
$EXTERNAL_NET any (msg:"ET CURRENT_EVENTS RedKit Exploit Kit
Vulnerable Java Payload Request URI (1)";
flowbits:isset,ET.http.javaclient.vulnerable;
flow:established,to_server; content:"/33.html"; depth:8; http_uri;
urilen:8; flowbits:set,et.exploitkitlanding;
classtype:trojan-activity; sid:2015930; rev:2;)
emerging-current_events.rules:alert http $HOME_NET any ->
$EXTERNAL_NET any (msg:"ET CURRENT_EVENTS RedKit Exploit Kit
vulnerable Java Payload Request to URI (2)";
flowbits:isset,ET.http.javaclient.vulnerable;
flow:established,to_server; content:"/41.html"; depth:8; http_uri;
urilen:8; flowbits:set,et.exploitkitlanding;
classtype:trojan-activity; sid:2015931; rev:2;)
emerging-info.rules:alert http $EXTERNAL_NET any -> $HOME_NET any
(msg:"ET INFO JAVA - Java Archive Download";
flow:from_server,established;
flowbits:isnotset,ET.http.javaclient.vulnerable;
flowbits:isset,ET.http.javaclient; content:"|0D 0A 0D 0A|PK";
classtype:trojan-activity; sid:2014472; rev:6;)
emerging-info.rules:alert http $EXTERNAL_NET any -> $HOME_NET any
(msg:"ET INFO JAVA - Java Archive Download By Vulnerable Client";
flow:from_server,established;
flowbits:isset,ET.http.javaclient.vulnerable; content:"|0D 0A 0D
0A|PK"; classtype:trojan-activity; sid:2014473; rev:4;)
emerging-info.rules:alert http $EXTERNAL_NET any -> $HOME_NET any
(msg:"ET INFO JAVA - Java Class Download";
flow:from_server,established;
flowbits:isnotset,ET.http.javaclient.vulnerable;
flowbits:isset,ET.http.javaclient; content:"|0D 0A 0D 0A CA FE BA
BE|"; classtype:trojan-activity; sid:2014474; rev:6;)
emerging-info.rules:alert http $EXTERNAL_NET any -> $HOME_NET any
(msg:"ET INFO JAVA - Java Class Download By Vulnerable Client";
flow:from_server,established;
flowbits:isset,ET.http.javaclient.vulnerable; content:"|0D 0A 0D 0A CA
FE BA BE|"; classtype:trojan-activity; sid:2014475; rev:6;)
emerging-info.rules:alert http $EXTERNAL_NET any -> $HOME_NET any
(msg:"ET INFO Java Serialized Data via vulnerable client";
flow:established,from_server;
flowbits:isset,ET.http.javaclient.vulnerable; file_data; content:"|ac
ed|"; within:2; flowbits:set,et.exploitkitlanding;
classtype:trojan-activity; sid:2016502; rev:2;)
emerging-info.rules:alert http $EXTERNAL_NET any -> $HOME_NET any
(msg:"ET INFO file possibly containing Serialized Data file";
flow:to_client,established; file_data; content:"PK"; within:2;
content:".serPK"; flowbits:isset,ET.http.javaclient.vulnerable;
classtype:trojan-activity; sid:2016505; rev:2;)
emerging-policy.rules:alert http $EXTERNAL_NET any -> $HOME_NET any
(msg:"ET POLICY DRIVEBY Generic - EXE Download by Java";
flow:from_server,established;
flowbits:isnotset,ET.http.javaclient.vulnerable;
flowbits:isset,ET.http.javaclient; content:"|0d 0a 0d 0a|MZ";
byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64;
within:4; threshold:type limit,track by_src,count 1,seconds 3;
classtype:trojan-activity; sid:2014471; rev:6;)
emerging-trojan.rules:alert http $EXTERNAL_NET any -> $HOME_NET any
(msg:"ET TROJAN Java EXE Download by Vulnerable Version - Likely
Driveby"; flowbits:isset,ET.http.javaclient.vulnerable;
flow:established,to_client; content:"|0d 0a 0d 0a|MZ";
byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64;
within:4; threshold:type limit,track by_src,count 1,seconds 3;
classtype:trojan-activity; sid:2013036; rev:7;)

Is this correct??




More information about the Snort-users mailing list