[Snort-users] Receiving alerts for a disabled rule
wkitty42 at ...14940...
Fri Feb 28 16:14:16 EST 2014
On 2/28/2014 8:15 AM, Anshuman Anil Deshmukh wrote:
> Hi Joel,
> The rule is disabled. I even restarted the snort machine but still alerts for
> this rule are getting generated. Please help.
is your snort configured to actually use and follow those textual rule files for
en/disabling those GID 3 rules? there are similar for the other generators and
they are ignored unless snort is specifically configured to use them...
> Here is the actual rule-
> # alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"DOS generic web
> server hashing collision attack"; sid:20825; gid:3; rev:8;
> classtype:attempted-dos; reference:cve,2011-3414;
> reference:cve,2012-0830; reference:cve,2010-1899; reference:cve,2011-5037;
> metadata: engine shared, soid 3|20825, service http;)
NOTE: No off-list assistance is given without prior approval.
Please keep mailing list traffic on the list unless
private contact is specifically requested and granted.
More information about the Snort-users