Anonymous | Login | 2024-12-04 09:24 EST |
Main | My View | View Issues | Change Log | Roadmap |
View Issue Details [ Jump to Notes ] | [ Issue History ] [ Print ] | |||||||
ID | Project | Category | View Status | Date Submitted | Last Update | |||
0000024 | PacketFence 1.6.2 | public | 2006-05-03 12:44 | 2006-05-06 16:46 | ||||
Reporter | user4 | |||||||
Assigned To | ||||||||
Priority | normal | Severity | minor | Reproducibility | always | |||
Status | closed | Resolution | fixed | |||||
Platform | OS | OS Version | ||||||
Summary | 0000024: violations.conf and snort rule IDs not matching up ? | |||||||
Description | In violations.conf we have for example: [2001219] desc=SSH Scan priority=6 url=/content/scanning disable=N auto_enable=N trigger=Detect::2001919 On the other hand, in snort/bleeding-all.rules the corresponding rule #alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg: "BLEEDING-EDGE VIRUS - Greeting card gif.exe email incoming SMTP"; flow: established,to_server; content:"postcard.gif.exe"; nocase; classtype: trojan-activity; reference:url,securityresponse.symantec.com/avcenter/venc/data/vbs.postcard@mm.html; sid: 2001919; rev:3; ) is commented out and does not check for a ssh scan | |||||||
Tags | No tags attached. | |||||||
Attached Files | ||||||||
Notes | |
(0000030) user4 2006-05-03 12:44 |
Reminder sent to: user4, dlaporte, kevmcs |
(0000031) user4 2006-05-03 12:56 |
The following diffs should fix the problem: violations.conf 132c132 < trigger=Detect::2001919 --- > trigger=Detect::2001219 bleeding-all.rules 3485c3485 < #alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg: "BLEEDING-EDGE Potential SSH Scan"; flags: S; flowbits: set,ssh.brute.attempt; threshold: type threshold, track by_src, count 5, seconds 120; classtype: suspicious-login; reference:url,www.whitedust.net/article/27/Recent%20SSH%20Brute-Force%20Attacks/; sid: 2001219; rev:12; ) --- > alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg: "BLEEDING-EDGE Potential SSH Scan"; flags: S; flowbits: set,ssh.brute.attempt; threshold: type threshold, track by_src, count 5, seconds 120; classtype: suspicious-login; reference:url,www.whitedust.net/article/27/Recent%20SSH%20Brute-Force%20Attacks/; sid: 2001219; rev:12; ) |
(0000047) kevmcs (developer) 2006-05-06 16:26 |
I have removed ssh scan from violations.conf. Source $External_Net rules will always be external to packetfence. |
(0000050) kevmcs (developer) 2006-05-06 16:46 |
I have removed ssh scan from violations.conf. Source $External_Net rules will always be external to packetfence. |
Issue History | |||
Date Modified | Username | Field | Change |
2006-05-03 12:44 | user4 | New Issue | |
2006-05-03 12:44 | user4 | Note Added: 0000030 | |
2006-05-03 12:56 | user4 | Note Added: 0000031 | |
2006-05-06 16:26 | kevmcs | Note Added: 0000047 | |
2006-05-06 16:46 | kevmcs | Status | new => closed |
2006-05-06 16:46 | kevmcs | Note Added: 0000050 | |
2006-05-06 16:46 | kevmcs | Resolution | open => fixed |
Copyright © 2000 - 2012 MantisBT Group |