Snort mailing list archives
Re: Snort / Rules / Pulled Pork
From: Dan O'Brien via Snort-users <snort-users () lists snort org>
Date: Sat, 16 Sep 2017 16:35:18 -0400
Thank you very much for your response. Please allow me to clarify a couple things within your original response. Thanks, Dan "Better is a poor man who walks in his integrity than a rich man who is crooked in his ways." - Proverbs 28:6 Sent from my iPad
On Sep 16, 2017, at 10:27 AM, Marcin Dulak <marcin.dulak () gmail com> wrote: On Sat, Sep 16, 2017 at 3:20 PM, Dan O'Brien via Snort-users <snort-users () lists snort org> wrote:Ok, slowly I am trying to figure this out. I run Pi-hole on a Raspberry Pi on my network. I believe it is the reason why I am getting multiple "protocol dns tmg firewall client long host entry exploit attempt-19187" alerts. The source ip for all the alerts are my internet service providers DNS servers along with to ip of my Pi-hole Raspberry Pi. So, I need a simple filter for this rule correct? I figure I need this: suppress gen_id 3, sig_id 19187 track by_src, ip 24.25.5.60,24.25.5.61readable examples are given at https://www.snort.org/faq/readme-filters https://github.com/Cisco-Talos/snort-faq/blob/master/docs/README.filters
Thank you for this, this is where I actually learned the suppress command I used but this is confusing (see below).
I ended up trying it in several different locations including snort.conf and local.rules without any affect.snort.conf contains the line include threshold.conf where you can write those suppress filters.
The link above indicates that thresholding is being deprecated. I originally believed that in the future, threshold.conf would be going bye-bye so using it now would be counter productive. Before writing this response, I again re-read the filter readme and the second time I think I read it differently. The second time I read it, I understood that the standalone threshold statement would be deprecated. Is this different than using threshold.conf?
Last night, I put the statement at the bottom of snort.rules, which is where all the pulled pork rules are. IT WORKED :-).I woke up this am, hoping to continue eliminating some of my false positive through this method and my additions were no longer at the bottom of the pulled pork/snort.rules list.pulledpork is configurable to download and update snort.rules - maybe this is what happened?
Absolutely what happened. My confusion is in the fact that the suppress statements in yesterday's snort.rules are still working today even after pulled pork downloaded and updated snort.rules. My suppress statements are still working even though they are not in snort.rules due to being overwritten by the download today. They had to be written elsewhere? No biggie other than should my suppress statements not be correct, I have no idea how to delete them.
MarcinThe false positives are still being enforced though. I realize I am new and asking some really noob questions. I always try and find the answers on the internet, problem is, I end up with old information. Any assistance greatly appreciated Thanks, Dan "Better is a poor man who walks in his integrity than a rich man who is crooked in his ways." - Proverbs 28:6 Sent from my iPad _______________________________________________ Snort-users mailing list Snort-users () lists snort org Go to this URL to change user options or unsubscribe: https://lists.snort.org/mailman/listinfo/snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
_______________________________________________ Snort-users mailing list Snort-users () lists snort org Go to this URL to change user options or unsubscribe: https://lists.snort.org/mailman/listinfo/snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Snort / Rules / Pulled Pork Dan O'Brien via Snort-users (Sep 16)
- Re: Snort / Rules / Pulled Pork Marcin Dulak via Snort-users (Sep 16)
- Re: Snort / Rules / Pulled Pork Dan O'Brien via Snort-users (Sep 16)
- Re: Snort / Rules / Pulled Pork Marcin Dulak via Snort-users (Sep 16)
- Re: Snort / Rules / Pulled Pork Dan O'Brien via Snort-users (Sep 16)
- Re: Snort / Rules / Pulled Pork Marcin Dulak via Snort-users (Sep 16)
- Re: Snort / Rules / Pulled Pork Dan O'Brien via Snort-users (Sep 16)
- Re: Snort / Rules / Pulled Pork Dan O'Brien via Snort-users (Sep 16)
- Re: Snort / Rules / Pulled Pork Marcin Dulak via Snort-users (Sep 16)