Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: snort_ddos.rules and snort_dos.rules

From: Joel Esler via Snort-sigs <snort-sigs () lists snort org>
Date: Fri, 19 Jan 2024 17:14:58 -0500
AppID is open source, detection can be written for it.


On Jan 19, 2024, at 15:04, Jonathan Lee <jonathanlee571 () gmail com> wrote:

Yeah you can check this out… pf can do os detect and it can spot a docker container with bleeding edge Kali running 
inside of it.

os detect it with pf

<docker fingerprinting (3).docx>



On Jan 19, 2024, at 11:53, Joel Esler <eslerj () gmail com> wrote:

Not sure that’s something you could detect with a network product?


On Jan 18, 2024, at 17:57, Jonathan Lee <jonathanlee571 () gmail com> wrote:

What we really need is a way to detect invasive containers and BSDjails and have them part of appID. Some 
containers are sitting and data marshaling the Network cards. I saw one a year ago that when I got access to the 
container and could see it the thing self deleted.
From: Snort-sigs <snort-sigs-bounces () lists snort org> on behalf of Joel Esler via Snort-sigs <snort-sigs () 
lists snort org>
Sent: Thursday, January 18, 2024 14:34
To: Patrick Ambühl <patrick.ambuhl () applic8 com>
Cc: snort-sigs () lists snort org <snort-sigs () lists snort org>
Subject: Re: [Snort-sigs] snort_ddos.rules and snort_dos.rules
 
Yes.  In fact, I depreciated them when I was still at Sourcefire (before we were purchased by Cisco!).  There 
hasn't been anything in those categories for years.  If you want DDOS/DOS rules, you need to look at the 
classification in the rules for denial-of-service.


Rule Category Reorganization
blog.snort.org
<favicon.ico>
 <https://blog.snort.org/2012/03/rule-category-reorganization.html>Rule Category Reorganization 
<https://blog.snort.org/2012/03/rule-category-reorganization.html>
blog.snort.org <https://blog.snort.org/2012/03/rule-category-reorganization.html>   <favicon.ico> 
<https://blog.snort.org/2012/03/rule-category-reorganization.html>
Rule Category Reorganization Phase 2
blog.snort.org
<favicon.ico>
 <https://blog.snort.org/2012/08/rule-category-reorganization-phase-2.html>Rule Category Reorganization Phase 2 
<https://blog.snort.org/2012/08/rule-category-reorganization-phase-2.html>
blog.snort.org <https://blog.snort.org/2012/08/rule-category-reorganization-phase-2.html>   <favicon.ico> 
<https://blog.snort.org/2012/08/rule-category-reorganization-phase-2.html>



On Jan 17, 2024, at 06:40, Patrick Ambühl via Snort-sigs <snort-sigs () lists snort org> wrote:


Are these two rules deprecated ? I see them as options if Snort/PFSense but when enabled no rules are displayed 
(active or disabled). I also checked the snortrules-snapshot-31470.tar.gz and could not find these rules either.


Thank you

Patrick
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists snort org
https://lists.snort.org/mailman/listinfo/snort-sigs

Please visit http://blog.snort.org for the latest news about Snort!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette

Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a 
href=" https://snort.org/downloads/#rule-downloads";>emerging threats</a>!







_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists snort org
https://lists.snort.org/mailman/listinfo/snort-sigs

Please visit http://blog.snort.org for the latest news about Snort!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette

Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a 
href=" https://snort.org/downloads/#rule-downloads";>emerging threats</a>!
Previous By Date Next
Previous By Thread Next

Current thread: