Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Problem Disabling A Snort Rule

From: Jim Campbell via Snort-users <snort-users () lists snort org>
Date: Tue, 20 Nov 2018 12:46:46 -0500
Some time ago I posted a problem that I was having with the emergingthreats rule set (see below.) I now know what the problem is but I don't know how to fix it. I posted the problem to doc.emergingthreats.net for sid:2018959 but several rules update cycles have gone by without the problem being fixed.
The problem is that the rule for sid:2018959 contains in part "reference:url,doc.emergingthreats.net/bin/view/Main/2000419;" (I am also disabling sid:2000419.) The rule for sid:2018959 should not contain the string "2000419". The "2000419" should be "2018959". 

What can I do to get this rather simple fix implemented?

Thank you.

Jim Campbell

=========================================================

In my /etc/snort/disablesid.conf file I have specified 12 rules.
When I run barnyard2, it reports that while processing /etc/snort/disablesid.conf it has modified 11 rules and skipped 1 rule because it is already disabled.
For several months, the entry for sid:2018959, while specified in the disablesid.conf file isn't being disabled. The other 11 rules in disablesid.conf are being disabled.
I believe I know why this is happening but don't know what to do about it. Here's what I found.
One of the entries in disablesid.conf is for sid:2000419. I have these entries in numeric order so it is before the entry for sid:2018959.
The entry for sid:2018959 contains in part "reference:url,doc.emergingthreats.net/bin/view/Main/2000419;" This text is prior to "sid:2018959;"
I suspect that when barnyard2 is parsing the entry for 2018959 it first comes across 2000419 and since it has already disabled the rule for 2000419 skips disabling 2018959.
Other rules have the number in the Reference: field the same as the Sid: field. 

Thank you,

Jim Campbell
_______________________________________________
Snort-users mailing list
Snort-users () lists snort org
Go to this URL to change user options or unsubscribe:
https://lists.snort.org/mailman/listinfo/snort-users

        To unsubscribe, send an email to:
        snort-users-leave () lists snort org

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette
Previous By Date Next
Previous By Thread Next

Current thread: