Snort mailing list archives

Re: Receiving alerts for a disabled rule

From: Anshuman Anil Deshmukh <anshuman () cybage com>
Date: Sat, 8 Mar 2014 20:35:30 +0000

Hi,



As specified in my initial mail, all the snort rules reside in one single file. So there’s no question about using 
different .rules files. I am logging all the alerts to SNORBY on a MYSQL database. There’s no delay when to writing to 
MYSQL database using barnyard. And also I see that there are no alerts queued in SNORBY, worker service is running 
normally.



Any other thoughts? Please let me know if I need to post any of my config files.



Thanks.



Regards,

Anshuman



From: SnortFan [mailto:SnortFan () yahoo com]
Sent: Friday, February 28, 2014 10:25 PM
To: Anshuman Anil Deshmukh
Cc: snort-users () lists sourceforge net
Subject: Re: [Snort-users] Receiving alerts for a disabled rule



Hmm try this:



Double check your snort.conf to make sure of where your pulling your rules from. Then do a grep in that folder against 
all the .rules files against the Sid number.  Maybe it's in another file that's getting used?



Also, are you looking at it from an interface like base or at the new unified2 file it starts writing too upon restart. 
The reason I'm asking is that an tool like base could have alerts queued.



Cheers,

Ed



Sent from a mobile device.


On Feb 28, 2014, at 8:15 AM, Anshuman Anil Deshmukh <anshuman () cybage com<mailto:anshuman () cybage com>> wrote:

   Hi Joel,



   The rule is disabled. I even restarted the snort machine but still alerts for this rule are getting generated. 
Please help.



   Here is the actual rule-



   # alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"DOS generic web server hashing collision attack"; 
sid:20825; gid:3; rev:8; classtype:attempted-dos; reference:cve,2011-3414; 
reference:url,events.ccc.de/congress/2011/Fahrplan/events/4680.en.html<http://events.ccc.de/congress/2011/Fahrplan/events/4680.en.html>;
 
reference:url,technet.microsoft.com/en-us/security/advisory/2659883<http://technet.microsoft.com/en-us/security/advisory/2659883>;
 
reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-100<http://technet.microsoft.com/en-us/security/bulletin/MS11-100>;
 reference:cve,2012-0830; reference:cve,2010-1899; reference:cve,2011-5037; metadata: engine shared, soid 3|20825, 
service http;)



   Regards,

   Anshuman





   From: Joel Esler (jesler) [mailto:jesler () cisco com]
   Sent: Thursday, February 20, 2014 9:06 PM
   To: Anshuman Anil Deshmukh
   Cc: snort-users () lists sourceforge net<mailto:snort-users () lists sourceforge net>
   Subject: Re: [Snort-users] Receiving alerts for a disabled rule



   If you are receiving the alert from the rule, then it is either:



   A) Not disabled

   B) You didn’t restart Snort after you disabled it.



   --
   Joel Esler
   Threat Intelligence Team Lead
   Open Source Manager
   Vulnerability Research Team



   On Feb 20, 2014, at 7:03 AM, Anshuman Anil Deshmukh <anshuman () cybage com<mailto:anshuman () cybage com>> wrote:






      Hi,



      Recently I found that I am getting alerts for one of the rule which is commented out. What could be the possible 
reason for generating such alert when the rule is disabled?



      Here are my setup details below.



      Snort version: Version 2.9.5 GRE (Build 103)

      Barnyard version: Version 2.1.9 (Build 263) - XFF patch (version 2)

      Rules are updating using pulledpork version 0.70 where all rules reside in one single file



      Below are the references of the actual rule and the alert generated on SNORBY.





      <image004.jpg>





      Thanks and Regards,

      Anshuman

      Information Security-Analyst




      "Legal Disclaimer: This electronic message and all contents contain information from Cybage Software Private 
Limited which may be privileged, confidential, or otherwise protected from disclosure. The information is intended to 
be for the addressee(s) only. If you are not an addressee, any disclosure, copy, distribution, or use of the contents 
of this message is strictly prohibited. If you have received this electronic message in error please notify the sender 
by reply e-mail to and destroy the original message and all copies. Cybage has taken every reasonable precaution to 
minimize the risk of malicious content in the mail, but is not liable for any damage you may sustain as a result of any 
malicious content in this e-mail. You should carry out your own malicious content checks before opening the e-mail or 
attachment." www.cybage.com<http://www.cybage.com/>

      <image001.png>------------------------------------------------------------------------------
      Managing the Performance of Cloud-Based Applications
      Take advantage of what the Cloud has to offer - Avoid Common Pitfalls.
      Read the Whitepaper.
      
http://pubads.g.doubleclick.net/gampad/clk?id=121054471&iu=/4140/ostg.clktrk_______________________________________________
      Snort-users mailing list
      Snort-users () lists sourceforge net<mailto:Snort-users () lists sourceforge net>
      Go to this URL to change user options or unsubscribe:
      https://lists.sourceforge.net/lists/listinfo/snort-users
      Snort-users list archive:
      http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

      Please visit http://blog.snort.org<http://blog.snort.org/> to stay current on all the latest Snort news!






   "Legal Disclaimer: This electronic message and all contents contain information from Cybage Software Private Limited 
which may be privileged, confidential, or otherwise protected from disclosure. The information is intended to be for 
the addressee(s) only. If you are not an addressee, any disclosure, copy, distribution, or use of the contents of this 
message is strictly prohibited. If you have received this electronic message in error please notify the sender by reply 
e-mail to and destroy the original message and all copies. Cybage has taken every reasonable precaution to minimize the 
risk of malicious content in the mail, but is not liable for any damage you may sustain as a result of any malicious 
content in this e-mail. You should carry out your own malicious content checks before opening the e-mail or 
attachment." www.cybage.com<http://www.cybage.com>

   ------------------------------------------------------------------------------
   Flow-based real-time traffic analytics software. Cisco certified tool.
   Monitor traffic, SLAs, QoS, Medianet, WAAS etc. with NetFlow Analyzer
   Customize your own dashboards, set traffic alerts and generate reports.
   Network behavioral analysis & security monitoring. All-in-one tool.
   http://pubads.g.doubleclick.net/gampad/clk?id=126839071&iu=/4140/ostg.clktrk

   _______________________________________________
   Snort-users mailing list
   Snort-users () lists sourceforge net<mailto:Snort-users () lists sourceforge net>
   Go to this URL to change user options or unsubscribe:
   https://lists.sourceforge.net/lists/listinfo/snort-users
   Snort-users list archive:
   http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

   Please visit http://blog.snort.org to stay current on all the latest Snort news!


"Legal Disclaimer: This electronic message and all contents contain information from Cybage Software Private Limited 
which may be privileged, confidential, or otherwise protected from disclosure. The information is intended to be for 
the addressee(s) only. If you are not an addressee, any disclosure, copy, distribution, or use of the contents of this 
message is strictly prohibited. If you have received this electronic message in error please notify the sender by reply 
e-mail to and destroy the original message and all copies. Cybage has taken every reasonable precaution to minimize the 
risk of malicious content in the mail, but is not liable for any damage you may sustain as a result of any malicious 
content in this e-mail. You should carry out your own malicious content checks before opening the e-mail or 
attachment." 
www.cybage.com

------------------------------------------------------------------------------
Subversion Kills Productivity. Get off Subversion & Make the Move to Perforce.
With Perforce, you get hassle-free workflows. Merge that actually works. 
Faster operations. Version large binaries.  Built-in WAN optimization and the
freedom to use Git, Perforce or both. Make the move to Perforce.
http://pubads.g.doubleclick.net/gampad/clk?id=122218951&iu=/4140/ostg.clktrk

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Current thread:

Receiving alerts for a disabled rule Anshuman Anil Deshmukh (Feb 20)
- Re: Receiving alerts for a disabled rule Joel Esler (jesler) (Feb 20)
  - Re: Receiving alerts for a disabled rule SnortFan (Feb 20)
  - Re: Receiving alerts for a disabled rule Anshuman Anil Deshmukh (Feb 28)
    - Re: Receiving alerts for a disabled rule SnortFan (Feb 28)
    - Re: Receiving alerts for a disabled rule Anshuman Anil Deshmukh (Mar 08)
    - Re: Receiving alerts for a disabled rule waldo kitty (Feb 28)