Home page logo

snort logo Snort mailing list archives

Re: !!Rolling back Snort rule files!!
From: "Weir, Jason" <jason.weir () nhrs org>
Date: Fri, 29 Oct 2010 14:16:29 -0400

I don't see it as an option in Oinkmaster - so here's a question for the
Pulled Pork users - is there a "backup rules before updating" option?
Maybe tar & gz the last 5 rules updates would be a good option, just in
case you get a really screwed up ruleset..

        -----Original Message-----
        From: JJ Cummings [mailto:cummingsj () gmail com] 
        Sent: Friday, October 29, 2010 2:07 PM
        To: Miso Patel
        Cc: snort-sigs () lists sourceforge net
        Subject: Re: [Snort-sigs] !!Rolling back Snort rule files!!
        The other option that might work, grab all of the rules that are
new / changed in this update and disable by sid using PP or oinkmaster,
that should be maybe a 5 minute exercise.
        Sent from the iRoad

        On Oct 29, 2010, at 11:50, Miso Patel <miso.patel () gmail com>

                It looks like many of the MS Kodak imaging malformed
tiff rules were from TIFF downloads from Akamai and Deltacom ... looks
like a lot of MSNBC news sites.  I am running Snort with gzip decoding
eneabled.  Anyone else seeing this?
                Thanks, I'm going to check our backups now.
                Miso Patel, CISO
                On Fri, Oct 29, 2010 at 12:35 PM, Joel Esler <
<mailto:jesler () sourcefire com> jesler () sourcefire com> wrote:

                        There is not an option to use a "previous
ruleset", you would have to backup your previous ruleset before you
update it, since they are in the flat files.
                        What SIDs are giving you the problems?  Do you
have pcaps for the traffic?
                        After I received your emails I checked my alerts
and I don't have either one of these (I'm not a good test case) alerting
on my networks.  Any more information you can provide?

                        On Oct 29, 2010, at 1:24 PM, Miso Patel wrote:
                        > Today we installed the newest VRT community
rules on our Snort sensors.  Almost immediately we started seeing
increased alert volume and further investigation shows that these are
all false positives. We see *tons* of events for the Microsoft Kodak
imaging malformed tiff rules along with other alerts like Mozilla
firefox image dragging exploit and more.
                        > Right now the SIEM is swamped and I've made
the decision to go back to the old rules ... is there an easy way to do
this?  I don't see them online and my engineers tell me that there is
not an option in Snort to instruct it to use the previous ruleset (e.g.
snort --use-prev).  Any help is much appreciated.
                        > Thank you.
                        > Miso Patel, CISO


Please visit www.nhrs.org to subscribe to NHRS email announcements and updates.
Nokia and AT&T present the 2010 Calling All Innovators-North America contest
Create new apps & games for the Nokia N8 for consumers in  U.S. and Canada
$10 million total in prizes - $4M cash, 500 devices, nearly $6M in marketing
Develop with Nokia Qt SDK, Web Runtime, or Java and Publish to Ovi Store 
Snort-sigs mailing list
Snort-sigs () lists sourceforge net

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]