alerts not being ignored
150 views
Skip to first unread message
Joseph Spenner
Jul 26, 2013, 12:12:24 PM7/26/13
to securit...@googlegroups.com
Hello,
I'm running securityonion-12.04.1-20130605 and trying to set up some disablesid.conf and/or threshold.conf rules to drop a certain event, but it's not working.
The event I'm targeting is:
"BAD-TRAFFIC TMG Firewall Client long host entry exploit attempt"
SigID: 19187
GenID: 1
I made entries:
/etc/nsm/pulledpork/disablesid.conf:
1:19187
and
/etc/nsm/rules/threshold.conf
suppress gen_id 1, sig_id 19187, track by_dst, ip my.dest.ip
did:
# /usr/bin/rule-update
and even rebooted, but the events still show up.
Any thoughts/ideas would be great.
Thanks!
Regards,
Joseph Spenner
______________________________________________________________________
If life gives you lemons, keep them-- because hey.. free lemons.
"♥ Sticker" fixer: http://microflush.org/stuff/stickers/heartFix.html
I'm running securityonion-12.04.1-20130605 and trying to set up some disablesid.conf and/or threshold.conf rules to drop a certain event, but it's not working.
The event I'm targeting is:
"BAD-TRAFFIC TMG Firewall Client long host entry exploit attempt"
SigID: 19187
GenID: 1
I made entries:
/etc/nsm/pulledpork/disablesid.conf:
1:19187
and
/etc/nsm/rules/threshold.conf
suppress gen_id 1, sig_id 19187, track by_dst, ip my.dest.ip
did:
# /usr/bin/rule-update
and even rebooted, but the events still show up.
Any thoughts/ideas would be great.
Thanks!
Regards,
Joseph Spenner
______________________________________________________________________
If life gives you lemons, keep them-- because hey.. free lemons.
"♥ Sticker" fixer: http://microflush.org/stuff/stickers/heartFix.html
Heine Lysemose
Jul 26, 2013, 3:46:26 PM7/26/13
to securit...@googlegroups.com
Hi Joseph
Could you post the whole rule. I suspect that their might be a flowbit evolved here.
Regards,
Lysemose
--
You received this message because you are subscribed to the Google Groups "security-onion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
To post to this group, send email to securit...@googlegroups.com.
Visit this group at http://groups.google.com/group/security-onion.
For more options, visit https://groups.google.com/groups/opt_out.
Joseph Spenner
Jul 26, 2013, 4:10:17 PM7/26/13
to securit...@googlegroups.com
Lysemose:
Here's the rule:
--
Here's the rule:
--
alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"BAD-TRAFFIC TMG Firewall Client long host entry exploit attempt"; sid:19187; gid:3; rev:2; classtype:attempted-user; reference:cve,2011-1889; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-040; metadata: engine shared, soid 3|19187;)Interesting though. That rule (which I got from the "View Rule" button on the web interface) has a different gid. The web interface itself has Generator ID of 1. The rule above has 3. ?
--
Thanks!
If life gives you lemons, keep them-- because hey.. free lemons.
"~heart~ Sticker" fixer: http://microflush.org/stuff/stickers/heartFix.html
From: Heine Lysemose <lyse...@gmail.com>
To: securit...@googlegroups.com
Sent: Friday, July 26, 2013 12:46 PM
Subject: Re: [security-onion] alerts not being ignored
Heine Lysemose
Jul 27, 2013, 1:22:01 AM7/27/13
to securit...@googlegroups.com
Exactly that's the problem, try disabling or suppressing the rule with 3:19187...
Regards,
Lysemose
Joel Esler
Jul 26, 2013, 11:50:08 PM7/26/13
to securit...@googlegroups.com
It’s a GID 3 rule. If you’ve patched a 2011-1889 vuln, I suggest you shut the rule off.
Reply all
Reply to author
Forward
0 new messages