This was never really supposed to work, and if it did work, it must have
been a bug in Snort. I suggest checking out the threshold.conf file
for details on how to keep the alerts enabled but suppress them for
certain hosts. That's probably the most straightforward way of doing
what you want.
David
Vidar Hoel wrote:
David J. Bianco wrote:
You've never been allowed to have duplicate SIDs, unless they both also
have the "rev:" tag to indicate revision.
Yes, we have. Here is an example of rules we have used since up until 2.8:
alert tcp $HOME_NET any -> !$HOME_NET any (msg:"ALERT TCP traffic on
illegal port, possible new service exposed"; flags:SA; classtype:
proseq-alert; sid: 1000100; rev:1;)
pass tcp xxx.yyy.186.68 139 -> xxx.yyy.186.83 any (msg:"ALERT TCP
traffic on illegal port, possible new service exposed"; flags:SA;
classtype: proseq-alert; sid: 1000100; rev:1;)
pass tcp xxx.yyy.186.68 139 -> xxx.yyy.186.84 any (msg:"ALERT TCP
traffic on illegal port, possible new service exposed"; flags:SA;
classtype: proseq-alert; sid: 1000100; rev:1;)
pass tcp xxx.yyy.186.68 139 -> xxx.yyy.186.94 any (msg:"ALERT TCP
traffic on illegal port, possible new service exposed"; flags:SA;
classtype: proseq-alert; sid: 1000100; rev:1;)
As you see, we have three pass-rules and an alert rule, all with same
sid and rev. And this works perfectly.
BTW, if you're going to do this, you might as well just disable the
original rule entirely. If you're going to pass the matching traffic,
it's just more efficient to not have the rule at all.
As you see of the example above, we do not pass the rule 1:1, but for
some of the traffic it would match.
Regards,
Vidar Hoel
Telenor SOC
Vidar Hoel wrote:
Hi,
We have just tried Snort 2.8 on one of our test-sensors, and discovered
a new "feature" not mentioned in the release notes:
As an example: In our ruleset, we have one alert-rule with SID 1234. But
for this rule, we create some pass-rules, also with SID 1234. This way
it's easy to keep tracking of which pass-rules an alert-rule have, and
vice versa.
But with Snort 2.8, this is not possible. Snort 2.8 will not start, and
complain that we already have a rule with SID 1234.
What is the reason for this change, since it's not mentioned in the
release notes? Or is it just a bug?
-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems? Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >> http://get.splunk.com/
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems? Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >> http://get.splunk.com/
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
