topic Hello khendrick512, in Network Security

Custom Snort rule, "EOSTORE FAILED" - cannot commit policy changes

khendrick512 — Tue, 12 Mar 2019 13:10:57 GMT

Hello all,

In MC 6.0.1, I added two custom Snort rules (see end of post), turned these on to "generate events" in a few different Intrusion policies, and try to commit the changes, but it fails with the message "EOStore failed". Has anyone else seen this?

The custom rules are related to the Mirai DDoS attacks:

alert tcp $HOME_NET any -> $EXTERNAL_NET any ( msg: "Mirai C2 init"; content: "|00 00 00 01|"; offset:0; dsize: 4; sid:1; )

alert tcp any any -> any 23 ( msg: "Mirai Telnet exploitation"; content: "/bin/busybox cat /proc/mounts|3B| /bin/busybox ECCHI"; sid:2; )

Hello khendrick512,

Jetsy Mathew — Thu, 27 Oct 2016 16:00:46 GMT

Hello khendrick512,

Make sure that its affecting only the custom rules or other local rules ?

Could you please double check if the NAP actually commits even after showing the error.

Regards
Jetsy

It looks like you're right,

khendrick512 — Thu, 27 Oct 2016 20:09:03 GMT

It looks like you're right, though I'm still not sure what the real issue is. I assumed the policy was not committing since the policy stays in edit mode and the error implies that the commit failed, but after I discard my edits and go into the policies, the custom rules are enabled to generate events.