Snort mailing list archives
Re: problem tuning out one particular rule
From: JJC <cummingsj () gmail com>
Date: Wed, 30 Mar 2011 10:40:13 -0600
As a quick note, Jason responded off-list stating that the srs/dst switch was likely the culprit.. the simple way that I determined this was based on the "directionality" of the rule. rule snip: alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any As you can see, this is looking for a response and is TO the $HOME_NET... if you don't understand, try harder ;-) JJC On Wed, Mar 30, 2011 at 10:23 AM, JJC <cummingsj () gmail com> wrote:
Speaking from the perspective of PulledPork, that rule is re-enabled because it sets a flowbit that other rules (that are enabled) rely on. As to the suppression, are you sure that the source is 10.0.0.0/8 and that it's not the dest? JJC On Wed, Mar 30, 2011 at 9:50 AM, Youngquist, Jason R. < jryoungquist () ccis edu> wrote:So I’ve been doing some Snort tuning over the last couple weeks. I’m using Snort 2.9.0.4, Barnyard2, and PulledPork 0.5. There’s this one event signature “WEB-CLIENT Portable Executable binary file transfer” (sid: 15306) and I’ve been trying to tune it out, but it still keeps on firing. I have it in the disablesid.conf # WEB-CLIENT Portable Executable binary file transfer 1:15306 I also put it in the threshold.conf as well # ignore these WEB-CLIENT Portable Executable binary file transfer suppress gen_id 1, sig_id 15306, track by_src, ip 10.0.0.0/8 Yet, the rule keeps firing. All of the other rules I’ve ignored using the methods above have worked, so not sure what’s different about this particular rule. Thoughts? Thanks. Jason Youngquist Information Technology Security Engineer Technology Services Columbia College 1001 Rogers Street, Columbia, MO 65216 (573) 875-7334 jryoungquist () ccis edu http://www.ccis.edu ------------------------------------------------------------------------------ Create and publish websites with WebMatrix Use the most popular FREE web apps or write code yourself; WebMatrix provides all the features you need to develop and publish your website. http://p.sf.net/sfu/ms-webmatrix-sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------------------------------ Create and publish websites with WebMatrix Use the most popular FREE web apps or write code yourself; WebMatrix provides all the features you need to develop and publish your website. http://p.sf.net/sfu/ms-webmatrix-sf
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Re: Smoking Pig Update (PulledPork), (continued)
- Re: Smoking Pig Update (PulledPork) JJC (Mar 29)
- Re: Smoking Pig Update (PulledPork) Markus Lude (Mar 29)
- Re: Smoking Pig Update (PulledPork) JJC (Mar 29)
- Re: Smoking Pig Update (PulledPork) waldo kitty (Mar 29)
- Re: Smoking Pig Update (PulledPork) Mike Lococo (Mar 29)
- Re: Smoking Pig Update (PulledPork) JJC (Mar 29)
- Re: Smoking Pig Update (PulledPork) Security () brvenik com (Mar 30)
- Re: Smoking Pig Update (PulledPork) Mike Lococo (Mar 30)
- problem tuning out one particular rule Youngquist, Jason R. (Mar 30)
- Re: problem tuning out one particular rule JJC (Mar 30)
- Re: problem tuning out one particular rule JJC (Mar 30)
- Re: Smoking Pig Update (PulledPork) Jeff Kell (Mar 29)
- Re: Smoking Pig Update (PulledPork) waldo kitty (Mar 29)
- Re: Smoking Pig Update (PulledPork) Joel Esler (Mar 29)