[Snort-users] Receiving alerts for a disabled rule

SnortFan SnortFan at ...131...
Thu Feb 20 19:53:25 EST 2014


If not the two things Joel listed, it could also be your sig-msg.map file reference is incorrect for the sid/rev and the description your feeding to by2 to place into the database is incorrect. This is highly unlikely, but If you still have the snort log for the time you can use the tool provided with the snort install to read the file and see if the sid and rev for the rule you commented out is really alerting. 

Enjoy,
Ed

Sent from a mobile device. 

> On Feb 20, 2014, at 10:36 AM, "Joel Esler (jesler)" <jesler at ...589...> wrote:
> 
> If you are receiving the alert from the rule, then it is either:
> 
> A) Not disabled
> B) You didn’t restart Snort after you disabled it.
> 
> --
> Joel Esler
> Threat Intelligence Team Lead
> Open Source Manager
> Vulnerability Research Team
> 
>> On Feb 20, 2014, at 7:03 AM, Anshuman Anil Deshmukh <anshuman at ...16567....> wrote:
>> 
>> Hi,
>>  
>> Recently I found that I am getting alerts for one of the rule which is commented out. What could be the possible reason for generating such alert when the rule is disabled?
>>  
>> Here are my setup details below.
>>  
>> Snort version: Version 2.9.5 GRE (Build 103)
>> Barnyard version: Version 2.1.9 (Build 263) - XFF patch (version 2)
>> Rules are updating using pulledpork version 0.70 where all rules reside in one single file
>>  
>> Below are the references of the actual rule and the alert generated on SNORBY.
>>  
>>  
>> <image004.jpg>
>>  
>>  
>> Thanks and Regards,
>> Anshuman
>> Information Security-Analyst
>> 
>> "Legal Disclaimer: This electronic message and all contents contain information from Cybage Software Private Limited which may be privileged, confidential, or otherwise protected from disclosure. The information is intended to be for the addressee(s) only. If you are not an addressee, any disclosure, copy, distribution, or use of the contents of this message is strictly prohibited. If you have received this electronic message in error please notify the sender by reply e-mail to and destroy the original message and all copies. Cybage has taken every reasonable precaution to minimize the risk of malicious content in the mail, but is not liable for any damage you may sustain as a result of any malicious content in this e-mail. You should carry out your own malicious content checks before opening the e-mail or attachment." www.cybage.com
>> 
>> <image001.png>------------------------------------------------------------------------------
>> Managing the Performance of Cloud-Based Applications
>> Take advantage of what the Cloud has to offer - Avoid Common Pitfalls.
>> Read the Whitepaper.
>> http://pubads.g.doubleclick.net/gampad/clk?id=121054471&iu=/4140/ostg.clktrk_______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>> 
>> Please visit http://blog.snort.org to stay current on all the latest Snort news!
> 
> ------------------------------------------------------------------------------
> Managing the Performance of Cloud-Based Applications
> Take advantage of what the Cloud has to offer - Avoid Common Pitfalls.
> Read the Whitepaper.
> http://pubads.g.doubleclick.net/gampad/clk?id=121054471&iu=/4140/ostg.clktrk
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> 
> Please visit http://blog.snort.org to stay current on all the latest Snort news!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20140220/92d12ad2/attachment.html>


More information about the Snort-users mailing list