[Emerging-Sigs] FP on 2011031?

L0rd Ch0de1m0rt l0rdch0de1m0rt at gmail.com
Fri Oct 8 10:10:04 EDT 2010


Maybe ET has subcontracted the magical Sourcefire "silent fix" gnomes?

-L0rd

On Fri, Oct 8, 2010 at 9:04 AM, Weir, Jason <jason.weir at nhrs.org> wrote:
> I'm running 2.8.6.1 as well..
>
> And just like magic they stopped triggering sometime last night...  No
> changes on my end..  Gotta love it when that happens..
>
> -J
>
> -----Original Message-----
> From: emerging-sigs-bounces at emergingthreats.net
> [mailto:emerging-sigs-bounces at emergingthreats.net] On Behalf Of ilya
> Sent: Friday, October 08, 2010 3:31 AM
> To: emerging-sigs at emergingthreats.net
> Subject: Re: [Emerging-Sigs] FP on 2011031?
>
>
>
> On 08.10.2010 08:16, waldo kitty wrote:
>> On 10/7/2010 16:36, evilghost at packetmail.net wrote:
>>> I really wish I had more to offer here.  I just can't fathom why this
>
>>> rule is firing.  We ran it with 2.8.5.x and even now with 2.8.6.1
>>> without any false positives.
>>>
>>> I rarely, if ever, see it fire.  I know this doesn't help your
>>> situation but I am putting thought into it.
>>>
>>> Double-checked and we're running 2011031; anyone else having issues?
>> we're running it here in 2.8.6.1 with the VRT compile-time options and
>
>> the VRT snort.conf... i'm not seeing it firing at all on my live
>> traffic... i don't know what the problem might be over there at
>> jason's place...
>>
> The same here: it fires on not all-capitals "GET" only.
> (I'm just learning how to deal with snort, traversing through rule files
>
> and let some of rules fire, checking system load. Just tested 2011031
> with different strings)
>>> What version of Snort are you using Jason?
>> FWIW: for the time being, mine is...
>>      ,,_     -*>  Snort!<*-
>>     o"  )~   Version 2.8.6.1 GRE (Build 39)
>>      ''''    By Martin Roesch&  The Snort Team:
> http://www.snort.org/snort/snort-team
>>              Copyright (C) 1998-2010 Sourcefire, Inc., et al.
>>              Using PCRE version: 7.8 2008-09-05
>>              Using ZLIB version: 1.2.3
> Occasionally, mine is almost the same:
>    ,,_     -*> Snort! <*-
>   o"  )~   Version 2.8.6.1 IPv6 GRE (Build 39)
>    ''''    By Martin Roesch & The Snort Team:
> http://www.snort.org/snort/snort-team
>            Copyright (C) 1998-2010 Sourcefire, Inc., et al.
>            Using PCRE version: 8.02 2010-03-19
>            Using ZLIB version: 1.2.3
>
>>> Just don't see why this rule would fire on all HTTP GETs, it should
>>> never fire on HTTP "GET"...
>
>
> _____________________________________________________________________________________________
>
> Please visit www.nhrs.org to subscribe to NHRS email announcements and updates.
>
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>
> Support Emerging Threats! Get your ET Stuff! Tshirts, Coffee Mugs and Lanyards
> http://www.emergingthreats.net/index.php/support-et-and-buy-et-schwag.html
>


More information about the Emerging-sigs mailing list