Troubles disabling/suppressing one rule

[Shane Mullins]

I have tried to suppress/disable the rule "BAD-TRAFFIC TMP Firewall Client long host entry exploit attempt" gen_id 1, sig_id 19187. On some rules that are chatty or do not apply to us, I have successfully suppressed them in threshold.conf or disablesid.conf respectively.

For some reason, this rule is not being suppressed/disabled. I have double checked the gen_id, sig_id. Any thoughts on this?

Thanks
Shane

[Heine Lysemose]

Hi Shane

Two things could be happening here if the rule is correctly disabled/suppressed.

Either it's a backlog from Barnyard2 still pushing old events to your database or the rule contains flowbit which re-enabled the rule.

Could you paste the rule here?

Regards,
Lysemose

--
You received this message because you are subscribed to the Google Groups "security-onion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
To post to this group, send email to securit...@googlegroups.com.
Visit this group at http://groups.google.com/group/security-onion.
For more options, visit https://groups.google.com/groups/opt_out.

[Shane Mullins]

Thanks Lysemose,

Did not think about pushing old events still being pushed, and didn't know about flowbit re-enabling the rule.  Here is the rule:

so_rules.rules:alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"BAD-TRAFFIC TMG Firewall Client long host entry exploit attempt"; sid:19187; gid:3; rev:2; classtype:attempted-user; reference:cve,2011-1889; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-040; metadata: engine shared, soid 3|19187;)

After pasting this rule in, I see the issue.  Snorby reported the gen_id as 1 and the sig_id as 19187.  The rule has the gid as 3, and the sid as 19187.  I will make that change now and see.

Many thanks,

Shane

[Heine Lysemose]

Yes that's the issue, you have to enter 3:19187 to disable or suppress the rule. Snorby will always show 1 as gid no matter what.

/Lysemose