Snort mailing list archives

Previous By Date Next
Previous By Thread Next

snort 2.0 RC1 runs commented out rules?

From: "Michael Scheidell" <scheidell () secnap net>
Date: Fri, 28 Mar 2003 20:01:14 -0500
I get too many false alarms on the smtp relay rule, so I comment it out:
policy.rules:#alert tcp $SMTP_SERVERS 25 -> $EXTERNAL_NET any (msg:"POLICY
SMTP relaying denied"; flow:established,from_server; content: "550 5.7.1";
depth:70; reference:url,mail-abuse.org/tsi/ar-fix.html;
reference:arachnids,249; classtype:misc-activity; sid:567; rev:9;)

but, snort 2.0RC1 just triggered on it and here is payload from acid to show
its not a barnyard/acid thing:
length = 68

000 : 35 35 30 20 35 2E 37 2E 31 20 4D 61 69 6C 20 66   550 5.7.1 Mail f
010 : 72 6F 6D 20 32 31 31 2E 31 35 37 2E 31 30 30 2E   rom 211.157.100.
020 : 31 34 35 20 62 6C 6F 63 6B 65 64 20 62 79 20 63   145 blocked by c
030 : 6E 2D 6B 72 2E 62 6C 61 63 6B 68 6F 6C 65 73 2E   n-kr.blackholes.
040 : 75 73 0D 0A                                       us..


(I think I have seen snort.1.9.1 do it also)
I suspect that the rules parser wants
# alert tcp
rather than
#alert tcp.

is that true? if so, should not the rules parser complain, one of those WTF?
messages?

system is FBSD 4.8 prerelease, libnet 1.0.2a, configured with flexresp.
snort cmd line:
/usr/local/bin/snort -doDI -m 022 -z \
-c /etc/snort/snort_wan.conf -i -l /var/log/snort_wan \
-F /etc/snort/snort_wan.bpf

bpf is:
not host xxx.xxx.xxx.xxx

snort.conf:
preprocessor frag2
preprocessor stream4: noinspect, disable_evasion_alerts, ttl_limit 0
preprocessor stream4_reassemble: noalerts
preprocessor http_decode: 80 81 unicode  iis_alt_unicode double_encode
iis_flip_slash full_whitespace
preprocessor telnet_decode
preprocessor conversation: allowed_ip_protocols all, timeout 60,
max_conversations 32000
preprocessor portscan2: scanners_max 3200, targets_max 5000, target_limit 5,
port_limit 20, timeout 60,log /var/log/snort/portscan.log
preprocessor portscan2-ignorehosts: $DNS_SERVERS 208.237.120.134
output alert_unified: filename /var/log/snort_wan/alert, limit 16
output log_unified: filename /var/log/snort_wan/log, limit 128

--
Michael Scheidell
SECNAP Network Security, LLC
Sales: 866-SECNAPNET / (1-866-732-6276)
Main: 561-368-9561 / www.secnap.net



-------------------------------------------------------
This SF.net email is sponsored by:
The Definitive IT and Networking Event. Be There!
NetWorld+Interop Las Vegas 2003 -- Register today!
http://ads.sourceforge.net/cgi-bin/redirect.pl?keyn0001en
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: