Snort mailing list archives
RE: Alert question???
From: "Hicks, John" <JHicks () JUSTICE GC CA>
Date: Tue, 13 Aug 2002 13:36:44 -0400
Another way to limit flooding with this rule is to specify: alert tcp $Home_Net any -> $External_Net any (msg:) doing so will track word usage coming out of the LAN only which is much better for it's usage as a 'policy' rule. cheers, John -----Original Message----- From: Ian Macdonald [mailto:secsnort () dirk demon co uk] Sent: Tuesday, August 13, 2002 1:19 PM To: quentyn () fotango com; Joe Giles Cc: Know How; snort-users () lists sourceforge net Subject: Re: [Snort-users] Alert question??? Yeah they were a joke, but they sometimes come in useful, I have disabled any rule that has a single word in it, and any common phrases. I also created a variable that contains ip addresses I exclude. You might want to exclude things like hotmail and yahoo mail because of people deleting junk mail. You just need to spend a little time working out which sites are triggering exclude them if they are something like CNN. A request to remove some porn rules is in the queue. If you look at the PORN Virgin rule you will see it is matching on the content "virgin" so it is not a bug just a poor rule. If you really wanted to match on virgin you would do " virgin " and even then you are going to get triggers on web pages that a have say "The virgin Marry" Have a look at the rules you have enabled and work out if it fits your environment. If not disable it. A good tool for doing rule management is Oinkmaster. You can set the SID of the rules you want disabled then update your rule set from the latest version on snort.org Ian ----- Original Message ----- From: <quentyn () fotango com> To: "Joe Giles" <jgiles () joeman1 com> Cc: "Know How" <beteachable () hotmail com>; <snort-users () lists sourceforge net> Sent: Tuesday, August 13, 2002 12:51 PM Subject: Re: [Snort-users] Alert question???
Joe Giles wrote:Actually, I have been getting this too. I think its a bug. If you look
at the packet data, there is probobly a work in there that starts or ends with VIRGIN. Like, for exampe VIRGINIA. LOL... I just dissabled the PORN section and use another app for that :)...
Hope this helps..I thought that the porn rules were a piss take anyway ? I thought that their prescence was due to the other IDS vendor's saying that they had them as a selling point ? Q -- ##################### Quentyn Taylor Sysadmin - Fotango ##################### `Naturally, a sysadmin's entire person is holy. We have the power to kill daemons.' Mike Sphar ------------------------------------------------------- This sf.net email is sponsored by: Dice - The leading online job board for high-tech professionals. Search and apply for tech jobs today! http://seeker.dice.com/seeker.epl?rel_code=31 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------- This sf.net email is sponsored by: Dice - The leading online job board for high-tech professionals. Search and apply for tech jobs today! http://seeker.dice.com/seeker.epl?rel_code=31 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users ------------------------------------------------------- This sf.net email is sponsored by: Dice - The leading online job board for high-tech professionals. Search and apply for tech jobs today! http://seeker.dice.com/seeker.epl?rel_code=31 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Alert question??? Know How (Aug 13)
- Re: Alert question??? quentyn (Aug 13)
- <Possible follow-ups>
- Re: Alert question??? Joe Giles (Aug 13)
- Re: Alert question??? quentyn (Aug 13)
- Re: Alert question??? Ian Macdonald (Aug 13)
- Re: Alert question??? quentyn (Aug 13)
- Re: Alert question??? Joe Giles (Aug 13)
- RE: Alert question??? Hicks, John (Aug 13)
- RE: Alert question??? Hicks, John (Aug 13)
- Re: Alert question??? Joe Giles (Aug 13)
- Re: Alert question??? Dan Mahoney, System Admin (Aug 13)
- RE: Alert question??? Mike S. (Aug 17)