Maybe I'm too dumb to do some testing if the IDS updater works correctly, if all - at least on my side.
I've opened the rules file:
browser-ie.rules and set all rules on comment by putting a #-char at the beginning of each line, e.g.
Code: Select all
#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BROWSER-IE Microsoft Internet Explorer image download spoofing attempt"; flow:to_server,established; content:".bat."; fast_pattern:only; http_uri; content:"MSIE "; http_header; pcre:"/^User-Agent:[^\n]*?MSIE\s[56]/Hmi"; metadata:service http; reference:bugtraq,11768; classtype:bad-unknown; sid:26937; rev:3;)
#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BROWSER-IE Microsoft Internet Explorer image download spoofing attempt"; flow:to_server,established; content:".html."; fast_pattern:only; http_uri; content:"MSIE "; http_header; pcre:"/^User-Agent:[^\n]*?MSIE\s[56]/Hmi"; metadata:service http; reference:bugtraq,11768; classtype:bad-unknown; sid:26936; rev:3;)
As a result the Intrusion Detection webpage lists all rules below the category
browser-ie.rules as inactive.
I've then modified the status file of IDS updater like suggested and added a Z to each of those checksum lines and saved it again.
Afterwards, I've fired this command
and let the updater do its job. The policy is set to MAX-DETECT according to the settings file. The issues with the WebIF are posted above.
After the updater forced SNORT re-read its settings, I first had a look to the file modification date/time of the file browser-ie.rules - no changes made. Second, I checked the rules inside the file and in WebIF - no changes either.
I hope that the rule file I've used for those test does include at least one rule that the policy MAX-DETECT will detect and activate. If not how can I run some test to check if the updater does its job?
Michael
