Snort mailing list archives
Re: Snort-users Digest, Vol 1, Issue 4
From: "tantioification . via Snort-users" <snort-users () lists snort org>
Date: Sun, 18 Jun 2017 08:52:50 +0700
Hi Jim, Could you tell me how to drop any packet that alerted automatically with pulledpork? in your last post you seem to be successful.. would you sharing to me? On Thu, Jun 15, 2017 at 11:00 PM, <snort-users-request () lists snort org> wrote:
Send Snort-users mailing list submissions to snort-users () lists snort org To subscribe or unsubscribe via the World Wide Web, visit https://lists.snort.org/mailman/listinfo/snort-users or, via email, send a message with subject or body 'help' to snort-users-request () lists snort org You can reach the person managing the list at snort-users-owner () lists snort org When replying, please edit your Subject line so it is more specific than "Re: Contents of Snort-users digest..." When responding, please don't respond with the entire Digest. Please trim your response. Today's Topics: 1. Pulledpork Modify Rules Automatically (Jim Campbell) 2. Re: Pulledpork Modify Rules Automatically (James Lay) 3. Re: Pulledpork Modify Rules Automatically (Jim Campbell) ---------------------------------------------------------------------- Message: 1 Date: Wed, 14 Jun 2017 21:42:23 -0400 From: Jim Campbell <jim () w4bqp net> To: snort-users () lists snort org Subject: [Snort-users] Pulledpork Modify Rules Automatically Message-ID: <245afd3b-f98b-3312-9007-96939c862ab5 () w4bqp net> Content-Type: text/plain; charset=utf-8; format=flowed Since I last posted here I ended up formatting my hard drive, installing the latest Ubuntu and installing Snort in IPS mode. However, at the end of the tutorial on http://sublimerobots.com/2016/02/snort-ips-inline-mode-on-ubuntu/ it shows you how to modify the single local rule to drop rather than alert. There is mention of a future page that will tell how to have Pulledpork automatically modify all the rules to drop. My setup is running in inline mode but so far hasn't reported any packets being flagged. I could sure use some help. Thanks, Jim -- "We are not human beings having a spiritual experience; we are spiritual beings having a human experience." ---Pierre Teilhard de Chardin ------------------------------ Message: 2 Date: Wed, 14 Jun 2017 19:54:01 -0600 From: James Lay <jlay () slave-tothe-box net> To: snort-users () lists snort org Subject: Re: [Snort-users] Pulledpork Modify Rules Automatically Message-ID: <1497491641.2275.3.camel () slave-tothe-box net> Content-Type: text/plain; charset="utf-8" On Wed, 2017-06-14 at 21:42 -0400, Jim Campbell wrote:Since I last posted here I ended up formatting my hard drive, installing? the latest Ubuntu and installing Snort in IPS mode. However, at the end? of the tutorial on? http://sublimerobots.com/2016/02/snort-ips-inline-mode-on-ubuntu/ it? shows you how to modify the single local rule to drop rather than alert.? There is mention of a future page that will tell how to have Pulledpork? automatically modify all the rules to drop. My setup is running in inline mode but so far hasn't reported any? packets being flagged. I could sure use some help. Thanks, JimDropsid.conf is where you'll want to look: https://github.com/shirkdog/pulledpork/blob/master/etc/dropsid.conf James -------------- next part -------------- An HTML attachment was scrubbed... URL: <https://lists.snort.org/mailman/private/snort-users/ attachments/20170614/90cd5dca/attachment-0001.html> ------------------------------ Message: 3 Date: Thu, 15 Jun 2017 11:10:33 -0400 From: Jim Campbell <jim () w4bqp net> To: snort-users () lists snort org Subject: Re: [Snort-users] Pulledpork Modify Rules Automatically Message-ID: <d35efbd4-7b73-ad0b-e747-dafdfe12838b () w4bqp net> Content-Type: text/plain; charset="utf-8"; Format="flowed" James, Thanks for the reply and the pointer to the site. Those instructions would allow me to drop specific rules. What I wanted to do is to drop any packet that alerted, then except specific rules that I want to allow. Something like the inverse of what your site specified. I did some searching on the internet and found the following site: https://s3.amazonaws.com/snort-org-site/production/ document_files/files/000/000/013/original/Snort_IPS_using_DAQ_AFPacket.pdf I realize that my original question specified Pulledpork. I wasn't aware that Snort being properly configured could do IPS all by itself. Snort is now doing what I want it to do. Thanks again, Jim On 6/14/2017 9:54 PM, James Lay wrote:On Wed, 2017-06-14 at 21:42 -0400, Jim Campbell wrote:Since I last posted here I ended up formatting my hard drive, installing the latest Ubuntu and installing Snort in IPS mode. However, at the end of the tutorial on http://sublimerobots.com/2016/02/snort-ips-inline-mode-on-ubuntu/ it shows you how to modify the single local rule to drop rather than alert. There is mention of a future page that will tell how to have Pulledpork automatically modify all the rules to drop. My setup is running in inline mode but so far hasn't reported any packets being flagged. I could sure use some help. Thanks, JimDropsid.conf is where you'll want to look: https://github.com/shirkdog/pulledpork/blob/master/etc/dropsid.conf James _______________________________________________ Snort-users mailing list Snort-users () lists snort org Go to this URL to change user options or unsubscribe: https://lists.snort.org/mailman/listinfo/snort-users Please visit http://blog.snort.org to stay current on all the latestSnort news! -------------- next part -------------- An HTML attachment was scrubbed... URL: <https://lists.snort.org/mailman/private/snort-users/ attachments/20170615/a652b834/attachment-0001.html> ------------------------------ Subject: Digest Footer _______________________________________________ Snort-users mailing list Snort-users () lists snort org https://lists.snort.org/mailman/listinfo/snort-users ------------------------------ End of Snort-users Digest, Vol 1, Issue 4 *****************************************
_______________________________________________ Snort-users mailing list Snort-users () lists snort org Go to this URL to change user options or unsubscribe: https://lists.snort.org/mailman/listinfo/snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Re: Snort-users Digest, Vol 1, Issue 4 Andhika Arya via Snort-users (Jun 15)
- <Possible follow-ups>
- Re: Snort-users Digest, Vol 1, Issue 4 tantioification . via Snort-users (Jun 17)
- Re: Snort-users Digest, Vol 1, Issue 4 Jim Campbell (Jun 18)
- Re: Snort-users Digest, Vol 1, Issue 4 Marcin Dulak via Snort-users (Jun 18)
- Re: Snort-users Digest, Vol 1, Issue 4 Jim Campbell (Jun 18)