PacketFence
Bug Tracking System

View Issue Details Jump to Notes ] Issue History ] Print ]
IDProjectCategoryView StatusDate SubmittedLast Update
0000024PacketFence 1.6.2public2006-05-03 12:442006-05-06 16:46
Reporteruser4 
Assigned To 
PrioritynormalSeverityminorReproducibilityalways
StatusclosedResolutionfixed 
PlatformOSOS Version
Summary0000024: violations.conf and snort rule IDs not matching up ?
DescriptionIn violations.conf we have for example:

[2001219]
desc=SSH Scan
priority=6
url=/content/scanning
disable=N
auto_enable=N
trigger=Detect::2001919


On the other hand, in snort/bleeding-all.rules the corresponding rule

#alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg: "BLEEDING-EDGE VIRUS - Greeting card gif.exe email incoming SMTP"; flow: established,to_server; content:"postcard.gif.exe"; nocase; classtype: trojan-activity; reference:url,securityresponse.symantec.com/avcenter/venc/data/vbs.postcard@mm.html; sid: 2001919; rev:3; )

is commented out and does not check for a ssh scan
TagsNo tags attached.
Attached Files

- Relationships

-  Notes
(0000030)
user4
2006-05-03 12:44

Reminder sent to: user4, dlaporte, kevmcs

(0000031)
user4
2006-05-03 12:56

The following diffs should fix the problem:

violations.conf
132c132
< trigger=Detect::2001919
---
> trigger=Detect::2001219


bleeding-all.rules
3485c3485
< #alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg: "BLEEDING-EDGE Potential SSH Scan"; flags: S; flowbits: set,ssh.brute.attempt; threshold: type threshold, track by_src, count 5, seconds 120; classtype: suspicious-login; reference:url,www.whitedust.net/article/27/Recent%20SSH%20Brute-Force%20Attacks/; sid: 2001219; rev:12; )
---
> alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg: "BLEEDING-EDGE Potential SSH Scan"; flags: S; flowbits: set,ssh.brute.attempt; threshold: type threshold, track by_src, count 5, seconds 120; classtype: suspicious-login; reference:url,www.whitedust.net/article/27/Recent%20SSH%20Brute-Force%20Attacks/; sid: 2001219; rev:12; )
(0000047)
kevmcs (developer)
2006-05-06 16:26

I have removed ssh scan from violations.conf. Source $External_Net rules will always be external to packetfence.
(0000050)
kevmcs (developer)
2006-05-06 16:46

I have removed ssh scan from violations.conf. Source $External_Net rules will always be external to packetfence.

- Issue History
Date Modified Username Field Change
2006-05-03 12:44 user4 New Issue
2006-05-03 12:44 user4 Note Added: 0000030
2006-05-03 12:56 user4 Note Added: 0000031
2006-05-06 16:26 kevmcs Note Added: 0000047
2006-05-06 16:46 kevmcs Status new => closed
2006-05-06 16:46 kevmcs Note Added: 0000050
2006-05-06 16:46 kevmcs Resolution open => fixed


Copyright © 2000 - 2012 MantisBT Group
Powered by Mantis Bugtracker