Solved: It looks like you're right,

khendrick512 · ‎10-27-2016

Hello all,

In MC 6.0.1, I added two custom Snort rules (see end of post), turned these on to "generate events" in a few different Intrusion policies, and try to commit the changes, but it fails with the message "EOStore failed". Has anyone else seen this?

The custom rules are related to the Mirai DDoS attacks:

alert tcp $HOME_NET any -> $EXTERNAL_NET any ( msg: "Mirai C2 init"; content: "|00 00 00 01|"; offset:0; dsize: 4; sid:1; )

alert tcp any any -> any 23 ( msg: "Mirai Telnet exploitation"; content: "/bin/busybox cat /proc/mounts|3B| /bin/busybox ECCHI"; sid:2; )

Jetsy Mathew · ‎10-27-2016

Hello khendrick512,

Make sure that its affecting only the custom rules or other local rules ?

Could you please double check if the NAP actually commits even after showing the error.

Regards
Jetsy

View solution in original post

Jetsy Mathew · ‎10-27-2016

Hello khendrick512,

Make sure that its affecting only the custom rules or other local rules ?

Could you please double check if the NAP actually commits even after showing the error.

Regards
Jetsy

khendrick512 · ‎10-27-2016

It looks like you're right, though I'm still not sure what the real issue is. I assumed the policy was not committing since the policy stays in edit mode and the error implies that the commit failed, but after I discard my edits and go into the policies, the custom rules are enabled to generate events.

Custom Snort rule, "EOSTORE FAILED" - cannot commit policy changes