Home page logo

snort logo Snort mailing list archives

Re: !!Rolling back Snort rule files!!
From: waldo kitty <wkitty42 () windstream net>
Date: Fri, 29 Oct 2010 19:28:24 -0400

On 10/29/2010 13:24, Miso Patel wrote:
Today we installed the newest VRT community rules on our Snort sensors.  Almost
immediately we started seeing increased alert volume and further investigation
shows that these are all false positives. We see *tons* of events for the
Microsoft Kodak imaging malformed tiff rules along with other alerts like
Mozilla firefox image dragging exploit and more.

i saw some of this when i moved up to with a more complete compile than 
we were using previously... i disabled ot suppressed those rules because of the 
higher number alerts that were apparently FPs...

Right now the SIEM is swamped and I've made the decision to go back to the old
rules ... is there an easy way to do this?  I don't see them online and my
engineers tell me that there is not an option in Snort to instruct it to use the
previous ruleset (e.g. snort --use-prev).  Any help is much appreciated.

i'm sure you have a workable answer to this by now but you'd basically have to 
wipe out your current rules sets and then update them using the previous snort 
version's version number... this would be done in your rules sets updater tool, 
whatever that may be...

Nokia and AT&T present the 2010 Calling All Innovators-North America contest
Create new apps & games for the Nokia N8 for consumers in  U.S. and Canada
$10 million total in prizes - $4M cash, 500 devices, nearly $6M in marketing
Develop with Nokia Qt SDK, Web Runtime, or Java and Publish to Ovi Store 
Snort-sigs mailing list
Snort-sigs () lists sourceforge net

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]