Snort mailing list archives
Re: Using pulled pork to change rule state from alert to drop for a policy type
From: Tony Robinson <deusexmachina667 () gmail com>
Date: Wed, 27 Mar 2013 16:53:04 -0400
I know it's a little bit delayed (I've been insanely busy these days), but I wanted to let you all know that I appreciate the feedback. On Mon, Mar 25, 2013 at 12:19 PM, waldo kitty <wkitty42 () windstream net>wrote:
On 3/24/2013 12:41, Tony Robinson wrote:5. Modify your snort rules to drop traffic in inline mode. My question revolves around 5. I'm well aware that pulled pork, via dropsid.conf, can be used to change alert rules to drop rules. I'mworried abouthaphazardly changing all the rules in my snort.rules file to DROP ALLTHE THINGS. there's two (2) camps to this particular question... 1. are you running the novell netmail server (mentioned in next quoted paragraph) on your network? is it patched up to date and is fixed for this specific flaw? if the answer is "yes", then you don't need to run this rule, do you? for one thing, not loading this rule will lower snort's memory footprint as well as increasing snort's processing speed since it doesn't have to process the rule. so run only those rules that pertain to your network and the equipment and servers allowed to run on it... 2. i'm kinda in the other camp... if someone is sending bad data to my system, i want to know about it... don't shake (test) the door knob on my front door to see if it is opened for you to just walk in... if you try to connect to mssql on my network from outside my network, i want to know about it... a) there's no reason for someone outside my network to try to connect to any sql servers there may be on my network, b) sql servers should not face the world wild whirl and c) how would you know there was a server there unless you've been probing and hunting for holes in which case, you are definitely up to no good and will be blocked...What I would like to do: If I see a rule with policy metadata thatrecommendsthe rule be set to drop, I want to change that rule from alert to drop.Let'spick on sid 1:10011 -- SERVER-MAIL Novell NetMail APPEND command bufferoverflowattempt, just to illustrate what I'm trying to do.see above camp 1 unless you are in camp 2 ;)It has the line "metadata:policy security-ips drop" indicating that: "Iftheuser is using a security over connectivity ruleset, this would make agood droprule in that rule policy configuration."ok...If I am using a given rule policy configuration in pulled pork (balanced, connectivity or security), and I see a rule with metadata that indicatesa givenrule would make a good drop rule for that policy ruleset (metadata:policybalanced-ips || policy connectivity-ips || policy security-ips) , Iwant to usepulledpork to change it to a drop rule. Is there an effective way to dothis?If there is not, I think this would make for an awesome feature requestin PP. i'll let others speak on this since i don't (yet) use pulledpork... i don't yet know how i would do it in my package but i have a rough idea... if PP doesn't have it, i agree that it would be a nice feature... ------------------------------------------------------------------------------ Everyone hates slow websites. So do we. Make your web apps faster with AppDynamics Download AppDynamics Lite for free today: http://p.sf.net/sfu/appdyn_d2d_mar _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
-- when does reality end? when does fantasy begin?
------------------------------------------------------------------------------ Own the Future-Intel® Level Up Game Demo Contest 2013 Rise to greatness in Intel's independent game demo contest. Compete for recognition, cash, and the chance to get your game on Steam. $5K grand prize plus 10 genre and skill prizes. Submit your demo by 6/6/13. http://p.sf.net/sfu/intel_levelupd2d
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Using pulled pork to change rule state from alert to drop for a policy type Tony Robinson (Mar 24)
- Re: Using pulled pork to change rule state from alert to drop for a policy type Joel Esler (Mar 24)
- Re: Using pulled pork to change rule state from alert to drop for a policy type Yossi Nachum (Mar 25)
- Re: Using pulled pork to change rule state from alert to drop for a policy type waldo kitty (Mar 25)
- Re: Using pulled pork to change rule state from alert to drop for a policy type Tony Robinson (Mar 27)