Snort mailing list archives
snort 2.0 RC1 runs commented out rules?
From: "Michael Scheidell" <scheidell () secnap net>
Date: Fri, 28 Mar 2003 20:01:14 -0500
I get too many false alarms on the smtp relay rule, so I comment it out: policy.rules:#alert tcp $SMTP_SERVERS 25 -> $EXTERNAL_NET any (msg:"POLICY SMTP relaying denied"; flow:established,from_server; content: "550 5.7.1"; depth:70; reference:url,mail-abuse.org/tsi/ar-fix.html; reference:arachnids,249; classtype:misc-activity; sid:567; rev:9;) but, snort 2.0RC1 just triggered on it and here is payload from acid to show its not a barnyard/acid thing: length = 68 000 : 35 35 30 20 35 2E 37 2E 31 20 4D 61 69 6C 20 66 550 5.7.1 Mail f 010 : 72 6F 6D 20 32 31 31 2E 31 35 37 2E 31 30 30 2E rom 211.157.100. 020 : 31 34 35 20 62 6C 6F 63 6B 65 64 20 62 79 20 63 145 blocked by c 030 : 6E 2D 6B 72 2E 62 6C 61 63 6B 68 6F 6C 65 73 2E n-kr.blackholes. 040 : 75 73 0D 0A us.. (I think I have seen snort.1.9.1 do it also) I suspect that the rules parser wants # alert tcp rather than #alert tcp. is that true? if so, should not the rules parser complain, one of those WTF? messages? system is FBSD 4.8 prerelease, libnet 1.0.2a, configured with flexresp. snort cmd line: /usr/local/bin/snort -doDI -m 022 -z \ -c /etc/snort/snort_wan.conf -i -l /var/log/snort_wan \ -F /etc/snort/snort_wan.bpf bpf is: not host xxx.xxx.xxx.xxx snort.conf: preprocessor frag2 preprocessor stream4: noinspect, disable_evasion_alerts, ttl_limit 0 preprocessor stream4_reassemble: noalerts preprocessor http_decode: 80 81 unicode iis_alt_unicode double_encode iis_flip_slash full_whitespace preprocessor telnet_decode preprocessor conversation: allowed_ip_protocols all, timeout 60, max_conversations 32000 preprocessor portscan2: scanners_max 3200, targets_max 5000, target_limit 5, port_limit 20, timeout 60,log /var/log/snort/portscan.log preprocessor portscan2-ignorehosts: $DNS_SERVERS 208.237.120.134 output alert_unified: filename /var/log/snort_wan/alert, limit 16 output log_unified: filename /var/log/snort_wan/log, limit 128 -- Michael Scheidell SECNAP Network Security, LLC Sales: 866-SECNAPNET / (1-866-732-6276) Main: 561-368-9561 / www.secnap.net ------------------------------------------------------- This SF.net email is sponsored by: The Definitive IT and Networking Event. Be There! NetWorld+Interop Las Vegas 2003 -- Register today! http://ads.sourceforge.net/cgi-bin/redirect.pl?keyn0001en _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- snort 2.0 RC1 runs commented out rules? Michael Scheidell (Mar 28)
- Re: snort 2.0 RC1 runs commented out rules? Chris Green (Mar 31)