Home page logo
/

snort logo Snort mailing list archives

Re: !!Rolling back Snort rule files!!
From: L0rd Ch0de1m0rt <l0rdch0de1m0rt () gmail com>
Date: Fri, 29 Oct 2010 14:28:38 -0500

Hello.  Yes, that is good.  I say add a configurable variable to set
how many revisions back get stored and then also have a command line
switch option that can instruct PP to restore rules rather than update
them.  It would also take in another var ... something like a number
indicating how many releases back you want to restore or a filename to
restore from.

Shouldn't be too hard in PERL.  Don't forget to account for the SO
rules and plain text rules.

L0rd C.

On Fri, Oct 29, 2010 at 2:03 PM, JJ Cummings <cummingsj () gmail com> wrote:
Consider it added in the forthcoming release

Sent from the iRoad
On Oct 29, 2010, at 12:27, Joel Esler <jesler () sourcefire com> wrote:

Actually -b (I think) in oinkmaster does a backup before updating.
But I the like the idea of being able to keep a couple backups and auto
revert back if needed using pulledpork.
JJ?

--
Sent from my iPad
On Oct 29, 2010, at 2:21 PM, "Weir, Jason" <jason.weir () nhrs org> wrote:

I don't see it as an option in Oinkmaster - so here's a question for the
Pulled Pork users - is there a "backup rules before updating" option?  Maybe
tar & gz the last 5 rules updates would be a good option, just in case you
get a really screwed up ruleset..

-J

-----Original Message-----
From: JJ Cummings [mailto:cummingsj () gmail com]
Sent: Friday, October 29, 2010 2:07 PM
To: Miso Patel
Cc: snort-sigs () lists sourceforge net
Subject: Re: [Snort-sigs] !!Rolling back Snort rule files!!

The other option that might work, grab all of the rules that are new /
changed in this update and disable by sid using PP or oinkmaster, that
should be maybe a 5 minute exercise.

Sent from the iRoad
On Oct 29, 2010, at 11:50, Miso Patel <miso.patel () gmail com> wrote:

It looks like many of the MS Kodak imaging malformed tiff rules were from
TIFF downloads from Akamai and Deltacom ... looks like a lot of MSNBC news
sites.  I am running Snort with gzip decoding eneabled.  Anyone else seeing
this?

Thanks, I'm going to check our backups now.

Miso Patel, CISO

On Fri, Oct 29, 2010 at 12:35 PM, Joel Esler <jesler () sourcefire com> wrote:

There is not an option to use a "previous ruleset", you would have to
backup your previous ruleset before you update it, since they are in the
flat files.

What SIDs are giving you the problems?  Do you have pcaps for the traffic?

After I received your emails I checked my alerts and I don't have either
one of these (I'm not a good test case) alerting on my networks.  Any more
information you can provide?

J

On Oct 29, 2010, at 1:24 PM, Miso Patel wrote:

Today we installed the newest VRT community rules on our Snort sensors.
 Almost immediately we started seeing increased alert volume and further
investigation shows that these are all false positives. We see *tons* of
events for the Microsoft Kodak imaging malformed tiff rules along with other
alerts like Mozilla firefox image dragging exploit and more.

Right now the SIEM is swamped and I've made the decision to go back to
the old rules ... is there an easy way to do this?  I don't see them online
and my engineers tell me that there is not an option in Snort to instruct it
to use the previous ruleset (e.g. snort --use-prev).  Any help is much
appreciated.

Thank you.

Miso Patel, CISO

_____________________________________________________________________________________________

Please visit www.nhrs.org to subscribe to NHRS email announcements and
updates.

------------------------------------------------------------------------------
Nokia and AT&T present the 2010 Calling All Innovators-North America contest
Create new apps & games for the Nokia N8 for consumers in  U.S. and Canada
$10 million total in prizes - $4M cash, 500 devices, nearly $6M in marketing
Develop with Nokia Qt SDK, Web Runtime, or Java and Publish to Ovi Store
http://p.sf.net/sfu/nokia-dev2dev

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs

------------------------------------------------------------------------------
Nokia and AT&T present the 2010 Calling All Innovators-North America contest
Create new apps & games for the Nokia N8 for consumers in  U.S. and Canada
$10 million total in prizes - $4M cash, 500 devices, nearly $6M in marketing
Develop with Nokia Qt SDK, Web Runtime, or Java and Publish to Ovi Store
http://p.sf.net/sfu/nokia-dev2dev

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs

------------------------------------------------------------------------------
Nokia and AT&T present the 2010 Calling All Innovators-North America contest
Create new apps & games for the Nokia N8 for consumers in  U.S. and Canada
$10 million total in prizes - $4M cash, 500 devices, nearly $6M in marketing
Develop with Nokia Qt SDK, Web Runtime, or Java and Publish to Ovi Store
http://p.sf.net/sfu/nokia-dev2dev
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs



------------------------------------------------------------------------------
Nokia and AT&T present the 2010 Calling All Innovators-North America contest
Create new apps & games for the Nokia N8 for consumers in  U.S. and Canada
$10 million total in prizes - $4M cash, 500 devices, nearly $6M in marketing
Develop with Nokia Qt SDK, Web Runtime, or Java and Publish to Ovi Store 
http://p.sf.net/sfu/nokia-dev2dev
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault