Re: [security-onion] disabling rules / ID not doing what I expect

703 views
Skip to first unread message

Heine Lysemose

unread,
Jul 26, 2012, 2:36:12 PM7/26/12
to securit...@googlegroups.com

Hi

Take a look at this link, http://code.google.com/p/security-onion/wiki/ManagingAlerts

It looks like you're editing the right file, however if you're using a distributed setup remember to edit the file on your server since the file is downloaded to from the server to the sensors. Further more remember to run pulledpork update script afterwards since it will create the new rules file with changes you've made.

/Lysemose

On Jul 26, 2012 8:18 PM, "jems" <josep...@yahoo.com> wrote:
There is an alert showing up which I know to be erroneous, so I wish to disable it.  The alert is:

"ET SHELLCODE Possible Call with No Offset TCP Shellcode "
  Generator ID = 1
  Sig. ID = 2012086

I made an entry in /etc/pulledpork/disablesid.conf 3 days ago, on 7.23

# disable "ET SHELLCODE Possible Call with No Offset TCP Shellcode
1:2012086

How does this take effect?  Does it actually get 'commented out' in the /etc/nsm/rules/downloaded.rules file by some process?
If I search my current downloaded.rules file, as well as the rules in /etc/nsm/rules/backup I see the entry show up, but the last pull earlier today has that entry commented out:

# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Possible Call with No Offset TCP Shellcode"; flow:established; content:"|E8 00 00 00 00 58|"; fast_pattern:only; reference:url,www.networkforensics.com/2010/05/16/network-detection-of-x86-buffer-overflow-shellcode/; classtype:shellcode-detect; sid:2012086; rev:1;)

The timestamp of my current downloaded.rules file is a half hour later than my last event from the above rule, so perhaps the rule got disabled.  But why 3 days later?
Or am I misunderstanding how all this works?

Thanks!


--
If life gives you lemons, keep them-- because hey.. free lemons.
"♥ Sticker" fixer:  http://microflush.org/stuff/stickers/heartFix.html
--

--


Heine Lysemose

unread,
Jul 26, 2012, 4:07:24 PM7/26/12
to securit...@googlegroups.com


On Jul 26, 2012 9:34 PM, "jems" <joseph85750@yahoo.com> wrote:
>
> Thanks for the reply/info!
No problem, just following Dougs advise from earlier today regarding helping out so we can get BDR done.
> I've seen the ManagingAlerts page, which is what I was using as a guide.
> I do not have multiple sensors (yet), so everything is on the one server.
>
> From what I can tell, the pulledpork_update.sh calls /usr/local/bin/pulledpork.pl, which appears to read the /etc/pulledpork/disablesid.conf file, and perhaps comment out those entries in the recently downloaded downloaded.rules.  Is this correct?
>
Yep. It reads the different conf-files and putting together the download. download.rules file used by Snort. As you wrote earlier you can check the outcome of the disabled rules in the download.rules file. You should see that the entry is commented out.
> I'm still not clear why it took 3 days to comment out my entry, since it runs daily.
>
I don't know that either...
>
> --
>
>
/Lysemose

Heine Lysemose

unread,
Jul 27, 2012, 6:24:18 AM7/27/12
to securit...@googlegroups.com


On Jul 26, 2012 11:08 PM, "jems" <josep...@yahoo.com> wrote:
>
> I think I know why the update took 3 days.  It appears I was not able to fetch the downloaded.rules nightly:
>
>  md5sum *
>
> 81c4159c40d72043b820ceb88f548179  downloaded.rules.20120719230920
> 8fe45985d0abe9661f6032d96395e85f  downloaded.rules.20120720070101
> 8fe45985d0abe9661f6032d96395e85f  downloaded.rules.20120721070102
> 8fe45985d0abe9661f6032d96395e85f  downloaded.rules.20120722070101
> 7f66ad3b7656529dd45a8f9203b25898  downloaded.rules.20120723070101
> 7f66ad3b7656529dd45a8f9203b25898  downloaded.rules.20120724070101
> 7f66ad3b7656529dd45a8f9203b25898  downloaded.rules.20120725070101
> 7f66ad3b7656529dd45a8f9203b25898  downloaded.rules.20120726070101
> 58c22ad85803c84973f2c390ae68e87c  downloaded.rules.20120726185806
>
> There must be some network issues on my end or elsewhere preventing the connection from predictably occurring.  It looks like I had difficulty twice, from the results above.  I'm assuming it resorts to the existing file, without applying any updates, if it can not get the daily file.. ?  Or maybe the same rules file was fetched each night, and pulledpork.pl is configured to not make any changes if the rules file is the same as the previous night.
>
I guess you could look at the pulledpork.pl file to see its error handling but it sounds reasonable that it quits without doing anything if it fails to download the rules from snort.org.
>
> I've just changed the timing of my fetch configured in /etc/cron.d/pulledpork, so perhaps that will help, if it is a network/congestion issue.
>
> Does anyone know whether or not all security-onion installations are trying to fetch their snort files at the exact same time?
>
Since SO it configured to run UTC time. I guess all deployment will download at the same time.
>
>

/Lysemose ______________________________________________________________________


> If life gives you lemons, keep them-- because hey.. free lemons.
> "♥ Sticker" fixer:  http://microflush.org/stuff/stickers/heartFix.html

> ----------------------------------------------------------------------
>
> --
>
>

Reply all
Reply to author
Forward
0 new messages