Re: ftp rules

[santhoj san <santhojirulappan () gmail com>]

I am ruling snort in IPS mode only. Now changed the rule using reject
instead of drop with different revision number for rules. l I'm getting
Drop alert in console but not the packets are dropped. I am able to access
the application.

*Rules:*
reject tcp any any -> any any (msg:"No skype 80"; appid:skype;
sid:10000004; rev:003;)
reject tcp any any -> any any (msg:"No youtube"; appid:youtube;
sid:10000006; rev:004;)
reject tcp any any -> any any (msg:"No Google"; appid:google; sid:10000007;
rev:005;)

*Changes in snort.conf*
config policy_mode:inline
config daq: afpacket
config daq_dir: /usr/local/lib/daq
config daq_mode: inline
config daq_var: buffer_size_mb=512

*command line:* sudo /usr/local/bin/snort -d -A console -u snort -g snort
-c /etc/snort/snort.conf -i eth0:wlan0 -Q
*Console Log:*
Enabling inline operation
Running in IDS mode

        --== Initializing Snort ==--
Initializing Output Plugins!
Initializing Preprocessors!
Initializing Plug-ins!
Parsing Rules file "/etc/snort/snort.conf"
...


Thanks & Regards
Santhoj Irulappan

On Fri, Oct 23, 2015 at 6:37 PM, Adonis Okpidi <adonisokpidi () gmail com>
wrote:

> http://stackoverflow.com/questions/22126452/snort-ips-rule-reject-work-but-drop-and-sdrop-dont-work
>
> Have a read through the answer as I'm sure it will help you with why it
> doesn't drop the packet because snort has to be ran in inline mode which
> make it act as an IPS. Because by default snort runs passively which makes
> it unable to drop the packets so change the settings in the snort.conf
> file. Let me know how you get on. And also you can use 'rev:1;' and 'rev:2;'
>
> http://manual.snort.org/node31.html
>
>
>
> Best Regards,
> Adonis Okpidi
>
>
> On 23 Oct 2015, at 05:35, santhoj san <santhojirulappan () gmail com> wrote:
>
> Ya I tried with drop. Still it is not dropping the packets. I used the
> below rule
>
> drop tcp any any -> any any (msg:"No chrome"; appid:chrome; sid:10000004;
> rev:001;)
> drop tcp any any -> any any (msg:"No skype"; appid:skype; sid:10000005;
> rev:001;)
>
> Still I am able to access chrome, skype.
>
> Thanks & Regards
> Santhoj Irulappan
>
> On Fri, Oct 23, 2015 at 12:50 AM, Adonis Okpidi <adonisokpidi () gmail com>
> wrote:
>
> > You can use 'drop' instead of 'alert'
> >
> > Best Regards,
> > Adonis Okpidi
> >
> >
> > On 22 Oct 2015, at 18:28, santhoj san <santhojirulappan () gmail com> wrote:
> >
> > Hi, Can anyone help me in how to make a rule to drop the packets.
> >
> > Thanks & Regards
> > Santhoj Irulappan
> >
> > On Thu, Oct 22, 2015 at 9:12 PM, Adam Ring <adam.ring () aocsolutions com>
> > wrote:
> >
> > > Yea I just found out about the protocol-ftp rules.  Thanks.
> > >
> > >
> > >
> > > *From:* Joel Esler (jesler) [mailto:jesler () cisco com]
> > > *Sent:* Thursday, October 22, 2015 11:42 AM
> > > *To:* Adam Ring
> > > *Cc:* snort-sigs () lists sourceforge net
> > > *Subject:* Re: [Snort-sigs] ftp rules
> > >
> > >
> > >
> > > Take a look at protocol-ftp.rules
> > >
> > >
> > >
> > >
> > >
> > > --
> > >
> > > *Joel Esler*
> > >
> > > Manager, Talos Group
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > > On Oct 22, 2015, at 8:55 AM, Adam Ring <adam.ring () AocSolutions com
> > > <adam.ring () aocsolutions com>> wrote:
> > >
> > >
> > >
> > > Hi I am new to snort and was trying to create an ftp rule.  I have
> > > downloaded the rules from the website, but in the ftp file there aren’t any
> > > rules in there.  I was wondering if that was supposed to be empty and if it
> > > is, is there a place where I can go to find some examples of ftp rules?
> > >
> > >
> > >
> > > *Adam Ring*
> > >
> > > IT Help Desk Techniction
> > >
> > > Office 703.677.9540
> > >
> > >
> > >
> > > AOC Solutions <http://www.aocsolutions.com/> | Solutions That Pay®
> > >
> > >
> > >
> > > Blog <http://www.aocsolutions.com/blog> | Video
> > > <http://www.aocsolutions.com/ap-payment-automation-video> | LinkedIn
> > > <https://www.linkedin.com/company/139025?trk=tyah&trkInfo=clickedVertical%3Acompany%2Cidx%3A1-1-1%2CtarId%3A1436380782168%2Ctas%3Aaoc%20solutions>
> > >
> > >
> > >
> > > *<image001.png>*
> > > <http://www.aocsolutions.com/about-aoc/aoc-in-the-news/aoc-named-top-workplace-by-washington-post>
> > >
> > >
> > >
> > >
> > >
> > > This e-mail and any attachments may contain confidential and privileged
> > >
> > > information. If you are not the intended recipient, please notify the sender
> > >
> > > immediately by return e-mail, delete this e-mail and attachments (if applicable)
> > >
> > > and destroy any copies. Any dissemination or use of this information by a person
> > >
> > > other than the intended recipient is unauthorized and strictly prohibited. You
> > >
> > > may be subject to confidentiality restrictions in an existing contract with AOC
> > >
> > > Solutions, Inc. As a result, you must protect the contents of this communication
> > >
> > > according to such terms and conditions.
> > >
> > >
> > > ------------------------------------------------------------------------------
> > > _______________________________________________
> > > Snort-sigs mailing list
> > > Snort-sigs () lists sourceforge net
> > > https://lists.sourceforge.net/lists/listinfo/snort-sigs
> > > http://www.snort.org
> > >
> > >
> > > Please visit http://blog.snort.org for the latest news about Snort!
> > >
> > >
> > >
> > > This e-mail and any attachments may contain confidential and privileged
> > > information. If you are not the intended recipient, please notify the sender
> > > immediately by return e-mail, delete this e-mail and attachments (if applicable)
> > > and destroy any copies. Any dissemination or use of this information by a person
> > > other than the intended recipient is unauthorized and strictly prohibited. You
> > > may be subject to confidentiality restrictions in an existing contract with AOC
> > > Solutions, Inc. As a result, you must protect the contents of this communication
> > > according to such terms and conditions.
> > >
> > >
> > >
> > > ------------------------------------------------------------------------------
> > >
> > > _______________________________________________
> > > Snort-sigs mailing list
> > > Snort-sigs () lists sourceforge net
> > > https://lists.sourceforge.net/lists/listinfo/snort-sigs
> > > http://www.snort.org
> > >
> > >
> > > Please visit http://blog.snort.org for the latest news about Snort!
> >
> >
> > ------------------------------------------------------------------------------
> >
> > _______________________________________________
> > Snort-sigs mailing list
> > Snort-sigs () lists sourceforge net
> > https://lists.sourceforge.net/lists/listinfo/snort-sigs
> > http://www.snort.org
> >
> >
> > Please visit http://blog.snort.org for the latest news about Snort!
------------------------------------------------------------------------------

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!