mailing list archives
Re: !!Rolling back Snort rule files!!
From: "Weir, Jason" <jason.weir () nhrs org>
Date: Fri, 29 Oct 2010 14:29:40 -0400
Wow the very first command line option - how did I miss that?
-b dir If the rules have been modified, a tarball of your old rules
will be put in dir before overwriting them with the new files. No backup
is done if no file has changed or if Oinkmaster is running in careful
Already added to my oink script.... Thanks Joel!
From: Joel Esler [mailto:jesler () sourcefire com]
Sent: Friday, October 29, 2010 2:27 PM
To: Weir, Jason
Cc: snort-sigs () lists sourceforge net
Subject: Re: [Snort-sigs] !!Rolling back Snort rule files!!
Actually -b (I think) in oinkmaster does a backup before
But I the like the idea of being able to keep a couple backups
and auto revert back if needed using pulledpork.
Sent from my iPad
On Oct 29, 2010, at 2:21 PM, "Weir, Jason" <jason.weir () nhrs org>
I don't see it as an option in Oinkmaster - so here's a
question for the Pulled Pork users - is there a "backup rules before
updating" option? Maybe tar & gz the last 5 rules updates would be a
good option, just in case you get a really screwed up ruleset..
From: JJ Cummings [mailto:cummingsj () gmail com]
Sent: Friday, October 29, 2010 2:07 PM
To: Miso Patel
Cc: <mailto:snort-sigs () lists sourceforge net>
snort-sigs () lists sourceforge net
Subject: Re: [Snort-sigs] !!Rolling back Snort
The other option that might work, grab all of
the rules that are new / changed in this update and disable by sid using
PP or oinkmaster, that should be maybe a 5 minute exercise.
Sent from the iRoad
On Oct 29, 2010, at 11:50, Miso Patel <
<mailto:miso.patel () gmail com> miso.patel () gmail com> wrote:
It looks like many of the MS Kodak
imaging malformed tiff rules were from TIFF downloads from Akamai and
Deltacom ... looks like a lot of MSNBC news sites. I am running Snort
with gzip decoding eneabled. Anyone else seeing this?
Thanks, I'm going to check our backups
Miso Patel, CISO
On Fri, Oct 29, 2010 at 12:35 PM, Joel
Esler < <mailto:jesler () sourcefire com> <mailto:jesler () sourcefire com>
jesler () sourcefire com> wrote:
There is not an option to use a
"previous ruleset", you would have to backup your previous ruleset
before you update it, since they are in the flat files.
What SIDs are giving you the problems?
Do you have pcaps for the traffic?
After I received your emails I checked
my alerts and I don't have either one of these (I'm not a good test
case) alerting on my networks. Any more information you can provide?
On Oct 29, 2010, at 1:24 PM, Miso Patel
> Today we installed the newest VRT
community rules on our Snort sensors. Almost immediately we started
seeing increased alert volume and further investigation shows that these
are all false positives. We see *tons* of events for the Microsoft Kodak
imaging malformed tiff rules along with other alerts like Mozilla
firefox image dragging exploit and more.
> Right now the SIEM is swamped and I've
made the decision to go back to the old rules ... is there an easy way
to do this? I don't see them online and my engineers tell me that there
is not an option in Snort to instruct it to use the previous ruleset
(e.g. snort --use-prev). Any help is much appreciated.
> Thank you.
> Miso Patel, CISO
Please visit www.nhrs.org to subscribe to NHRS email announcements and updates.
Nokia and AT&T present the 2010 Calling All Innovators-North America contest
Create new apps & games for the Nokia N8 for consumers in U.S. and Canada
$10 million total in prizes - $4M cash, 500 devices, nearly $6M in marketing
Develop with Nokia Qt SDK, Web Runtime, or Java and Publish to Ovi Store
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
Re: !!Rolling back Snort rule files!! waldo kitty (Oct 29)