[Snort-users] Pulledpork doesn't disable some rules

Y M snort at ...15979...
Mon Apr 14 11:20:21 EDT 2014







> I only want to remove rule 2011582, not the others. If I am
> understanding ok, If I put the following in my modifysid.conf:
> 
> 2011582 "flowbits:set,ET.http.javaclient.vulnerable;" ""
> 
> I disable all these rules ... is it ok??
 
Since you specified the sid for PulledPork, it should only modify that particular signature.
 
YM
 
> Date: Mon, 14 Apr 2014 13:40:51 +0000
> From: carlopmart at ...11827...
> To: snort-users at lists.sourceforge.net
> Subject: Re: [Snort-users] Pulledpork doesn't disable some rules
> 
> On Mon, Apr 14, 2014 at 1:28 PM, Y M <snort at ...15979...> wrote:
> >> Ok, I have applied the following solution posted in
> >> https://code.google.com/p/pulledpork/issues/detail?id=82, using
> >> modifysid option without luck.
> >
> > This depends on how you are modifying  the rule in the modifysid.conf file,
> > and if there are other rules that check if this particular flowbit is set.
> > For example:
> >
> > Rule A --> sets --> flowbit 1
> > Rule B --> checks (isset/isnotset) --> flowbit 1
> >
> > In this case, if you disable Rule A, PulledPork will re-enable it since
> > another rule (Rule B) is checking the same flowbit (flowbit 1).
> >
> > The order in which PulledPork will process the rules (modifysid.conf first)
> > is already committed to PulledPork v0.7. Which means that if modify (pcre or
> > so as documented) your rule in the modifysid.conf file by removing the
> > flowbits setting, it will be processed first, hence, the dependency should
> > be removed already before moving along.
> >
> 
> Thanks, YM. Uhmm, I see but then I have a problem. In the
> EmergingThreats package rules exists the following rules with the same
> flowbit:
> 
> alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY
> Vulnerable Java Version 1.4.x Detected"; flow:established,to_server;
> content:"Java/1.4."; http_user_agent;
> flowbits:set,ET.http.javaclient.vulnerable;  threshold: type limit,
> count 2, seconds 300, track by_src;
> reference:url,javatester.org/version.html; classtype:bad-unknown;
> sid:2011584; rev:11;)
> 
> #
> alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY
> Vulnerable Java Version 1.5.x Detected"; flow:established,to_server;
> content:" Java/1.5."; nocase; http_header;
> flowbits:set,ET.http.javaclient.vulnerable; threshold: type limit,
> count 2, seconds 300, track by_src;
> reference:url,javatester.org/version.html; classtype:bad-unknown;
> sid:2011581; rev:9;)
> 
> #
> alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY
> Vulnerable Java Version 1.6.x Detected"; flow:established,to_server;
> content:"Java/1.6.0_"; http_user_agent; content:!"71"; within:2;
> http_user_agent; flowbits:set,ET.http.javaclient.vulnerable;
> threshold: type limit, count 2, seconds 300, track by_src;
> reference:url,javatester.org/version.html; classtype:bad-unknown;
> sid:2011582; rev:33;)
> 
> alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY
> Vulnerable Java Version 1.7.x Detected"; flow:established,to_server;
> content:"Java/1.7.0_"; http_user_agent; content:!"51"; within:2;
> http_user_agent; flowbits:set,ET.http.javaclient.vulnerable;
> threshold: type limit, count 2, seconds 300, track by_src;
> reference:url,javatester.org/version.html; classtype:bad-unknown;
> sid:2014297; rev:25;)
> 
> I only want to remove rule 2011582, not the others. If I am
> understanding ok, If I put the following in my modifysid.conf:
> 
> 2011582 "flowbits:set,ET.http.javaclient.vulnerable;" ""
> 
> I disable all these rules ... is it ok??
> 
> And these rule dependencies, too:
> 
> root at ...16105...:/tmp/j/rules # grep ET.http.javaclient.vulnerable * | grep isset
> emerging-current_events.rules:alert http $EXTERNAL_NET any ->
> $HOME_NET any (msg:"ET CURRENT_EVENTS Phoenix Java MIDI Exploit
> Received By Vulnerable Client"; flow:established,to_client;
> flowbits:isset,ET.http.javaclient.vulnerable;
> content:"META-INF/services/javax.sound.midi.spi.MidiDeviceProvider";
> classtype:bad-unknown; sid:2013484; rev:3;)
> emerging-current_events.rules:alert http $EXTERNAL_NET any ->
> $HOME_NET any (msg:"ET CURRENT_EVENTS - Modified Metasploit Jar";
> flow:from_server,established;
> flowbits:isset,ET.http.javaclient.vulnerable;
> content:"msf|2f|x|2f|Payload"; classtype:trojan-activity; sid:2014560;
> rev:6;)
> emerging-current_events.rules:alert http $HOME_NET any ->
> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Incognito/RedKit Exploit Kit
> vulnerable Java payload request to /1digit.html";
> flowbits:isset,ET.http.javaclient.vulnerable;
> flow:established,to_server; urilen:7; content:".html"; http_uri;
> content:" Java/1"; http_header; pcre:"/\/[0-9]\.html$/U";
> flowbits:set,et.exploitkitlanding; classtype:trojan-activity;
> sid:2014750; rev:2;)
> emerging-current_events.rules:alert http $HOME_NET any ->
> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Unknown java_ara Bin
> Download"; flow:established,to_server; content:"java_ara&name=";
> http_uri; content:"/forum/"; http_uri; content:".php?"; http_uri;
> flowbits:isset,ET.http.javaclient.vulnerable;
> classtype:trojan-activity; sid:2014805; rev:2;)
> emerging-current_events.rules:alert http $EXTERNAL_NET any ->
> $HOME_NET any (msg:"ET CURRENT_EVENTS Blackhole obfuscated Java EXE
> Download by Vulnerable Version - Likely Driveby";
> flowbits:isset,ET.http.javaclient.vulnerable;
> flow:established,to_client; content:"|0d 0a 9c 62 d8 66 66 66 66 54|";
> classtype:trojan-activity; sid:2014909; rev:2;)
> emerging-current_events.rules:alert http $EXTERNAL_NET any ->
> $HOME_NET any (msg:"ET CURRENT_EVENTS Scalaxy Jar file";
> flow:to_client,established; content:"|0d 0a 0d 0a|PK";
> content:"C1.class"; fast_pattern; distance:0; content:"C2.class";
> distance:0; flowbits:isset,ET.http.javaclient.vulnerable;
> classtype:trojan-activity; sid:2014983; rev:2;)
> emerging-current_events.rules:alert http $EXTERNAL_NET any ->
> $HOME_NET any (msg:"ET CURRENT_EVENTS SofosFO Jar file 10/17/12";
> flow:to_client,established; file_data; content:"PK"; within:2;
> content:"SecretKey.class"; fast_pattern; distance:0;
> content:"Mac.class"; distance:0;
> flowbits:isset,ET.http.javaclient.vulnerable;
> classtype:trojan-activity; sid:2015812; rev:3;)
> emerging-current_events.rules:alert tcp $EXTERNAL_NET $HTTP_PORTS ->
> $HOME_NET any (msg:"ET CURRENT_EVENTS Metasploit CVE-2012-1723 Path
> (Seen in Unknown EK) 10/29/12"; flow:to_client,established; file_data;
> content:"PK"; within:2; content:"cve1723/";
> flowbits:isset,ET.http.javaclient.vulnerable;
> classtype:trojan-activity; sid:2015849; rev:3;)
> emerging-current_events.rules:alert http $EXTERNAL_NET any ->
> $HOME_NET any (msg:"ET CURRENT_EVENTS SofosFO Jar file 09 Nov 12";
> flow:to_client,established; file_data; content:"PK"; within:2;
> content:"SecretKey.class"; fast_pattern:only; content:"Anony";
> pcre:"/^(mous)?\.class/R";
> flowbits:isset,ET.http.javaclient.vulnerable;
> classtype:trojan-activity; sid:2015876; rev:3;)
> emerging-current_events.rules:alert http $HOME_NET any ->
> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS RedKit Exploit Kit
> Vulnerable Java Payload Request URI (1)";
> flowbits:isset,ET.http.javaclient.vulnerable;
> flow:established,to_server; content:"/33.html"; depth:8; http_uri;
> urilen:8; flowbits:set,et.exploitkitlanding;
> classtype:trojan-activity; sid:2015930; rev:2;)
> emerging-current_events.rules:alert http $HOME_NET any ->
> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS RedKit Exploit Kit
> vulnerable Java Payload Request to URI (2)";
> flowbits:isset,ET.http.javaclient.vulnerable;
> flow:established,to_server; content:"/41.html"; depth:8; http_uri;
> urilen:8; flowbits:set,et.exploitkitlanding;
> classtype:trojan-activity; sid:2015931; rev:2;)
> emerging-info.rules:alert http $EXTERNAL_NET any -> $HOME_NET any
> (msg:"ET INFO JAVA - Java Archive Download";
> flow:from_server,established;
> flowbits:isnotset,ET.http.javaclient.vulnerable;
> flowbits:isset,ET.http.javaclient; content:"|0D 0A 0D 0A|PK";
> classtype:trojan-activity; sid:2014472; rev:6;)
> emerging-info.rules:alert http $EXTERNAL_NET any -> $HOME_NET any
> (msg:"ET INFO JAVA - Java Archive Download By Vulnerable Client";
> flow:from_server,established;
> flowbits:isset,ET.http.javaclient.vulnerable; content:"|0D 0A 0D
> 0A|PK"; classtype:trojan-activity; sid:2014473; rev:4;)
> emerging-info.rules:alert http $EXTERNAL_NET any -> $HOME_NET any
> (msg:"ET INFO JAVA - Java Class Download";
> flow:from_server,established;
> flowbits:isnotset,ET.http.javaclient.vulnerable;
> flowbits:isset,ET.http.javaclient; content:"|0D 0A 0D 0A CA FE BA
> BE|"; classtype:trojan-activity; sid:2014474; rev:6;)
> emerging-info.rules:alert http $EXTERNAL_NET any -> $HOME_NET any
> (msg:"ET INFO JAVA - Java Class Download By Vulnerable Client";
> flow:from_server,established;
> flowbits:isset,ET.http.javaclient.vulnerable; content:"|0D 0A 0D 0A CA
> FE BA BE|"; classtype:trojan-activity; sid:2014475; rev:6;)
> emerging-info.rules:alert http $EXTERNAL_NET any -> $HOME_NET any
> (msg:"ET INFO Java Serialized Data via vulnerable client";
> flow:established,from_server;
> flowbits:isset,ET.http.javaclient.vulnerable; file_data; content:"|ac
> ed|"; within:2; flowbits:set,et.exploitkitlanding;
> classtype:trojan-activity; sid:2016502; rev:2;)
> emerging-info.rules:alert http $EXTERNAL_NET any -> $HOME_NET any
> (msg:"ET INFO file possibly containing Serialized Data file";
> flow:to_client,established; file_data; content:"PK"; within:2;
> content:".serPK"; flowbits:isset,ET.http.javaclient.vulnerable;
> classtype:trojan-activity; sid:2016505; rev:2;)
> emerging-policy.rules:alert http $EXTERNAL_NET any -> $HOME_NET any
> (msg:"ET POLICY DRIVEBY Generic - EXE Download by Java";
> flow:from_server,established;
> flowbits:isnotset,ET.http.javaclient.vulnerable;
> flowbits:isset,ET.http.javaclient; content:"|0d 0a 0d 0a|MZ";
> byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64;
> within:4; threshold:type limit,track by_src,count 1,seconds 3;
> classtype:trojan-activity; sid:2014471; rev:6;)
> emerging-trojan.rules:alert http $EXTERNAL_NET any -> $HOME_NET any
> (msg:"ET TROJAN Java EXE Download by Vulnerable Version - Likely
> Driveby"; flowbits:isset,ET.http.javaclient.vulnerable;
> flow:established,to_client; content:"|0d 0a 0d 0a|MZ";
> byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64;
> within:4; threshold:type limit,track by_src,count 1,seconds 3;
> classtype:trojan-activity; sid:2013036; rev:7;)
> 
> Is this correct??
> 
> ------------------------------------------------------------------------------
> Learn Graph Databases - Download FREE O'Reilly Book
> "Graph Databases" is the definitive new guide to graph databases and their
> applications. Written by three acclaimed leaders in the field,
> this first edition is now available. Download your free book today!
> http://p.sf.net/sfu/NeoTech
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> 
> Please visit http://blog.snort.org to stay current on all the latest Snort news!


 		 	   		  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20140414/b89ac987/attachment.html>


More information about the Snort-users mailing list