Snort mailing list archives

Snort 2.02 still runs 'disabled' rules

From: <scheidell () secnap net>
Date: Tue, 23 Sep 2003 13:23:08 -0400

This started to happen with snort 1.9.1 and has been reported by several people in the past.

It keep up with snort 2.00 and 2.01, and is still in snort 2.0.2

If I have a disabled rule (with a # in front of it) it should not run, but does.

Don't know why its the same rule that runs in all of these versions, but it is.

here is the rule, cut/paste from my ../rules/web-misc.rules file:

ls -l web-misc.rules
-rw-r--r--  1 root  wheel  70772 Aug 13 21:10 web-misc.rules

 grep robots.txt *.rules

Why does it still generate alerts?

web-misc.rules:# NOTES: this signature looks for someone accessing the file "robots.txt" via
web-misc.rules:# engines) more efficient.  robots.txt is often used to inform a web spider
web-misc.rules:# Verify that the robots.txt does not include any sensitive information.
web-misc.rules:# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC robots.txt access"; 
flow:to_server,established; uricontent:"/robots.txt"; nocase; reference:nessus,10302; 
classtype:web-application-activity; sid:1852; rev:3;)

System is FBSD 4.8, ../configure --enable-flexresp

it MIGHT be a SIGHUP problem since I did a killall -HUP snort to restart it a while back.

MAYBE, with flex-resp enabled, with the disabled rule being the 'n'the rule, with FBSD memory managment, with it being 
the third tuesday of the month, with a SIGHUP reload of the rules, it sometimes misses the comment.

Since I am not the only one that has reported this, maybe there is a way to track this down.

Could it be a problem with flex-resp code and SIGHUPS?  is it only on FBSD?
for now, I will be doing a killall snort and cold restart to see if that fixes the problem.


--
Michael Scheidell
SECNAP Network Security
561-368-9561 x 1131
www.secnap.com 


-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Snort 2.02 still runs 'disabled' rules scheidell (Sep 23)
- Re: Snort 2.02 still runs 'disabled' rules John Sage (Sep 24)