Re: BASE

[Dan O'Brien via Snort-users <snort-users () lists snort org>]

Ok, slowly I am trying to figure this out. 

I run Pi-hole on a Raspberry Pi on my network. I believe it is the reason why I am getting multiple "protocol dns tmg 
firewall client long host entry exploit attempt-19187" alerts.

The source ip for all the alerts are my internet service providers DNS servers along with to ip of my Pi-hole Raspberry 
Pi. So, I need a simple filter for this rule correct?

I figure I need this:
suppress gen_id 1, sig_id 19187 track by_src, ip 24.25.5.60,24.25.5.61 

1) Will this work? 
2) Where does it go? Snort.conf?
3) Can I list multiple comma separated IPs or a new line for each IP?

Thanks in advance for any assistance. 

Thanks,
Dan
(770) 624-1010
pdobrien3 () gmail com

"Better is a poor man who walks in his integrity than a rich man who is crooked in his ways." - Proverbs 28:6

Sent from my iPad

> On Sep 10, 2017, at 2:29 PM, Ron Sinclair via Snort-users <snort-users () lists snort org> wrote:
>
> You'd have to tune Snort itself (rules and/or processors), not BASE.  BASE will allow you to see/manipulate the 
> alerts, but that's about it.
>
> Ron Sinclair
> unixfool () gmail com
>
>
> > On Sat, Sep 9, 2017 at 6:49 PM, Dan O'Brien via Snort-users <snort-users () lists snort org> wrote:
> > All,
> >
> > If I am posting off-topic, please let me know. I have installed snort, barnyard2, oinkmaster, and BASE.  Everything 
> > seems to be working very well.  I followed one of the how-toos on the snort site. I am slowly learning and have 
> > tried several IDS without success. The config I have now seems to be stable and I am very happy with it. I just need 
> > to start configuring BASE and I can not find any help on the web. I need to start learning how to tell BAE what is 
> > significant and what is not and to alert me on important stuff. I would also like to try and get some of the graph 
> > stuff working as it doesn't seem to work. 
> >
> > This is the guide I followed. 
> >
> > https://s3.amazonaws.com/snort-org-site/production/document_files/files/000/000/122/original/Snort_2.9.9.x_on_Ubuntu_14-16.pdf?AWSAccessKeyId=AKIAIXACIED2SPMSC7GA&Expires=1505000935&Signature=Z7Tc484O02UTenkqQPax%2BFythyE%3D
> >
> > Thanks,
> > Dan
> > (770) 624-1010
> > pdobrien3 () gmail com
> >
> > "Better is a poor man who walks in his integrity than a rich man who is crooked in his ways." - Proverbs 28:6
> >
> > Sent from my iPad
> >
> >
> > Thanks,
> > Dan
> > (770) 624-1010
> > pdobrien3 () gmail com
> >
> > "Better is a poor man who walks in his integrity than a rich man who is crooked in his ways." - Proverbs 28:6
> >
> > Sent from my iPad
> >
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users () lists snort org
> > Go to this URL to change user options or unsubscribe:
> > https://lists.snort.org/mailman/listinfo/snort-users
> >
> > Please visit http://blog.snort.org to stay current on all the latest Snort news!
>
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists snort org
> Go to this URL to change user options or unsubscribe:
> https://lists.snort.org/mailman/listinfo/snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest Snort news!
_______________________________________________
Snort-users mailing list
Snort-users () lists snort org
Go to this URL to change user options or unsubscribe:
https://lists.snort.org/mailman/listinfo/snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!