[Snort-users] Receiving alerts for a disabled rule

waldo kitty wkitty42 at ...14940...
Fri Feb 28 16:14:16 EST 2014

On 2/28/2014 8:15 AM, Anshuman Anil Deshmukh wrote:
> Hi Joel,
> The rule is disabled. I even restarted the snort machine but still alerts for
> this rule are getting generated. Please help.

is your snort configured to actually use and follow those textual rule files for 
en/disabling those GID 3 rules? there are similar for the other generators and 
they are ignored unless snort is specifically configured to use them...

> Here is the actual rule-
> # alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"DOS generic web
> server hashing collision attack"; sid:20825; gid:3; rev:8;
> classtype:attempted-dos; reference:cve,2011-3414;
> reference:url,events.ccc.de/congress/2011/Fahrplan/events/4680.en.html;
> reference:url,technet.microsoft.com/en-us/security/advisory/2659883;
> reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-100;
> reference:cve,2012-0830; reference:cve,2010-1899; reference:cve,2011-5037;
> metadata: engine shared, soid 3|20825, service http;)

NOTE: No off-list assistance is given without prior approval.
       Please keep mailing list traffic on the list unless
       private contact is specifically requested and granted.

More information about the Snort-users mailing list