Home page logo
/

snort logo Snort mailing list archives

Re: !!Rolling back Snort rule files!!
From: "Weir, Jason" <jason.weir () nhrs org>
Date: Fri, 29 Oct 2010 14:29:40 -0400

Wow the very first command line option - how did I miss that?
 
-b dir    If the rules have been modified, a tarball of your old rules
will be put in dir before overwriting them with the new files. No backup
is done if no file has changed or if Oinkmaster is running in careful
mode. 
 
Already added to my oink script.... Thanks Joel!
 
-J

        -----Original Message-----
        From: Joel Esler [mailto:jesler () sourcefire com] 
        Sent: Friday, October 29, 2010 2:27 PM
        To: Weir, Jason
        Cc: snort-sigs () lists sourceforge net
        Subject: Re: [Snort-sigs] !!Rolling back Snort rule files!!
        
        
        Actually -b (I think) in oinkmaster does a backup before
updating. 

        But I the like the idea of being able to keep a couple backups
and auto revert back if needed using pulledpork. 

        JJ?
        
        
        --
        Sent from my iPad

        On Oct 29, 2010, at 2:21 PM, "Weir, Jason" <jason.weir () nhrs org>
wrote:
        
        

                I don't see it as an option in Oinkmaster - so here's a
question for the Pulled Pork users - is there a "backup rules before
updating" option?  Maybe tar & gz the last 5 rules updates would be a
good option, just in case you get a really screwed up ruleset..
                 
                -J

                        -----Original Message-----
                        From: JJ Cummings [mailto:cummingsj () gmail com] 
                        Sent: Friday, October 29, 2010 2:07 PM
                        To: Miso Patel
                        Cc: <mailto:snort-sigs () lists sourceforge net>
snort-sigs () lists sourceforge net
                        Subject: Re: [Snort-sigs] !!Rolling back Snort
rule files!!
                        
                        
                        The other option that might work, grab all of
the rules that are new / changed in this update and disable by sid using
PP or oinkmaster, that should be maybe a 5 minute exercise.
                        
                        Sent from the iRoad

                        On Oct 29, 2010, at 11:50, Miso Patel <
<mailto:miso.patel () gmail com> miso.patel () gmail com> wrote:
                        
                        

                                It looks like many of the MS Kodak
imaging malformed tiff rules were from TIFF downloads from Akamai and
Deltacom ... looks like a lot of MSNBC news sites.  I am running Snort
with gzip decoding eneabled.  Anyone else seeing this?
                                
                                Thanks, I'm going to check our backups
now.
                                
                                Miso Patel, CISO
                                
                                
                                On Fri, Oct 29, 2010 at 12:35 PM, Joel
Esler < <mailto:jesler () sourcefire com>  <mailto:jesler () sourcefire com>
jesler () sourcefire com> wrote:
                                

                                There is not an option to use a
"previous ruleset", you would have to backup your previous ruleset
before you update it, since they are in the flat files.
                                
                                What SIDs are giving you the problems?
Do you have pcaps for the traffic?
                                
                                After I received your emails I checked
my alerts and I don't have either one of these (I'm not a good test
case) alerting on my networks.  Any more information you can provide?
                                
                                J
                                

                                On Oct 29, 2010, at 1:24 PM, Miso Patel
wrote:
                                
                                > Today we installed the newest VRT
community rules on our Snort sensors.  Almost immediately we started
seeing increased alert volume and further investigation shows that these
are all false positives. We see *tons* of events for the Microsoft Kodak
imaging malformed tiff rules along with other alerts like Mozilla
firefox image dragging exploit and more.
                                >
                                > Right now the SIEM is swamped and I've
made the decision to go back to the old rules ... is there an easy way
to do this?  I don't see them online and my engineers tell me that there
is not an option in Snort to instruct it to use the previous ruleset
(e.g. snort --use-prev).  Any help is much appreciated.
                                >
                                > Thank you.
                                >
                                > Miso Patel, CISO
                                

_____________________________________________________________________________________________

Please visit www.nhrs.org to subscribe to NHRS email announcements and updates.
------------------------------------------------------------------------------
Nokia and AT&T present the 2010 Calling All Innovators-North America contest
Create new apps & games for the Nokia N8 for consumers in  U.S. and Canada
$10 million total in prizes - $4M cash, 500 devices, nearly $6M in marketing
Develop with Nokia Qt SDK, Web Runtime, or Java and Publish to Ovi Store 
http://p.sf.net/sfu/nokia-dev2dev
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault