Snort mailing list archives
Snort 2.02 still runs 'disabled' rules
From: <scheidell () secnap net>
Date: Tue, 23 Sep 2003 13:23:08 -0400
This started to happen with snort 1.9.1 and has been reported by several people in the past. It keep up with snort 2.00 and 2.01, and is still in snort 2.0.2 If I have a disabled rule (with a # in front of it) it should not run, but does. Don't know why its the same rule that runs in all of these versions, but it is. here is the rule, cut/paste from my ../rules/web-misc.rules file: ls -l web-misc.rules -rw-r--r-- 1 root wheel 70772 Aug 13 21:10 web-misc.rules grep robots.txt *.rules Why does it still generate alerts? web-misc.rules:# NOTES: this signature looks for someone accessing the file "robots.txt" via web-misc.rules:# engines) more efficient. robots.txt is often used to inform a web spider web-misc.rules:# Verify that the robots.txt does not include any sensitive information. web-misc.rules:# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC robots.txt access"; flow:to_server,established; uricontent:"/robots.txt"; nocase; reference:nessus,10302; classtype:web-application-activity; sid:1852; rev:3;) System is FBSD 4.8, ../configure --enable-flexresp it MIGHT be a SIGHUP problem since I did a killall -HUP snort to restart it a while back. MAYBE, with flex-resp enabled, with the disabled rule being the 'n'the rule, with FBSD memory managment, with it being the third tuesday of the month, with a SIGHUP reload of the rules, it sometimes misses the comment. Since I am not the only one that has reported this, maybe there is a way to track this down. Could it be a problem with flex-resp code and SIGHUPS? is it only on FBSD? for now, I will be doing a killall snort and cold restart to see if that fixes the problem. -- Michael Scheidell SECNAP Network Security 561-368-9561 x 1131 www.secnap.com ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort 2.02 still runs 'disabled' rules scheidell (Sep 23)
- Re: Snort 2.02 still runs 'disabled' rules John Sage (Sep 24)