re: Which rules to get inline

[James Affeld <jamesaffeld () yahoo com>]

I'd be very wary of using rules that don't use the
'established' keyword.  The problem with IPS is that
it puts the firewall rules in the hands of the
attacker.  
The classic example is An attacker could spoof the
return address of your upstream router with a UDP
attack or a SYN scan, and if your IPS blocks it, your
router drops off the net.  (This presumes IPS in front
of router)

So you definitely want to be sure that you have a real
connection to the offending host before cutting it
off.
It's hard to spoof the source of tcp connections.  

I'd run Snort for a while to see what the reliable
rules are for your net, then think about blocking
automatically based on them.  
 
> Message: 1
> Date: Sun, 6 Mar 2005 22:25:42 +0100 (MET)
> From: mosquitooth () gmx net
> To: snort-users () lists sourceforge net
> Subject: [Snort-users] Which rules to get inline
>
> Hi,
>
> as snort is able to get 'inline' and therefore act
> as an IPS. But, as there
> are still some false positives, it seems to me that
> not every rule is useful
> in an IPS environment - but which are? I think that
> especially the
> BAD_TRAFFIC and BACKDOOR rules won't fail often - so
> these would be of first
> choice when deploying an 'IPS'. Do you agree? Which
> rules do you think would
> serve this purpose?
>
> Thanks for any answers on this poll,
>
> Peter
>
> -- 
> DSL Komplett von GMX +++ Supergünstig und stressfrei
> einsteigen!
> AKTION "Kein Einrichtungspreis" nutzen:
> http://www.gmx.net/de/go/dsl
>
>
> --__--__--
>
> Message: 2
> From: "Neil" <nro () ix netcom com>
> To: <snort-users () lists sourceforge net>
> Date: Sun, 6 Mar 2005 18:09:42 -0500
> Subject: [Snort-users] take a .pcap file and convert
> to .csv file
>
> This is a multi-part message in MIME format.
>
> ------=_NextPart_000_0000_01C52277.AC14E3F0
> Content-Type: text/plain;
>       charset="us-ascii"
> Content-Transfer-Encoding: 7bit
>
> snort users list:
>
>  
>
> I am new to snort.
>
> I am running snort on a windows XP box (sorry my
> *nix boxes are currently
> offline).
>
> How do I simultaneously read a tcpdump file and
> output this same file to csv
> (for Excel use)?
>
>  
>
> I can read the tcpdump file
>
> F:\snort\bin>snort -r  file.pcap 
>
>  
>
> and I have added the following to snort.conf
>
> output alert_CSV: F:\Snort\log\alert.csv
> timestamp,msg,proto,src,srcport,dst,dstport
>
>  
>
>  
>
> However, How do I combine both actions at once?
>
>  
>
> When I run F:\snort\bin>snort -r  file.pcap  a csv
> file never materializes.
>
>  
>
> I've read through several email archives, and did
> not quite see this issue,
> and tried a few things from answers to other
> questions with no luck.
>
> Thanks
>
> -neil
>
>
> ------=_NextPart_000_0000_01C52277.AC14E3F0
> Content-Type: text/html;
>       charset="us-ascii"
> Content-Transfer-Encoding: quoted-printable
>
> <html
> xmlns:o=3D"urn:schemas-microsoft-com:office:office"
> =
> xmlns:w=3D"urn:schemas-microsoft-com:office:word" =
> xmlns=3D"http://www.w3.org/TR/REC-html40";>
>
> <head>
> <META HTTP-EQUIV=3D"Content-Type"
> CONTENT=3D"text/html; =
> charset=3Dus-ascii">
> <meta name=3DGenerator content=3D"Microsoft Word 11
> (filtered medium)">
> <style>
> <!--
>  /* Style Definitions */
>  p.MsoNormal, li.MsoNormal, div.MsoNormal
>       {margin:0in;
>       margin-bottom:.0001pt;
>       font-size:12.0pt;
>       font-family:"Times New Roman";}
> a:link, span.MsoHyperlink
>       {color:blue;
>       text-decoration:underline;}
> a:visited, span.MsoHyperlinkFollowed
>       {color:purple;
>       text-decoration:underline;}
> span.EmailStyle17
>       {mso-style-type:personal-compose;
>       font-family:Arial;
>       color:windowtext;}
> @page Section1
>       {size:8.5in 11.0in;
>       margin:1.0in 1.25in 1.0in 1.25in;}
> div.Section1
>       {page:Section1;}
> -->
> </style>
>
> </head>
>
> <body lang=3DEN-US link=3Dblue vlink=3Dpurple>
>
> <div class=3DSection1>
>
> <p class=3DMsoNormal
> style=3D'text-autospace:none'><font size=3D2 =
> face=3DArial><span
> style=3D'font-size:10.0pt;font-family:Arial'>snort
> users =
> list:<o:p></o:p></span></font></p>
>
> <p class=3DMsoNormal
> style=3D'text-autospace:none'><font size=3D2 =
> face=3DArial><span
style=3D'font-size:10.0pt;font-family:Arial'><o:p>&nbsp;</o:p></span></fo=
> nt></p>
>
> <p class=3DMsoNormal
> style=3D'text-autospace:none'><font size=3D2 =
> face=3DArial><span
> style=3D'font-size:10.0pt;font-family:Arial'>I am
> new to =
> snort.<o:p></o:p></span></font></p>
>
> <p class=3DMsoNormal
> style=3D'text-autospace:none'><font size=3D2 =
> face=3DArial><span
> style=3D'font-size:10.0pt;font-family:Arial'>I am
> running snort on a =
> windows XP
> box (sorry my *nix boxes are currently =
> offline).<o:p></o:p></span></font></p>
>
> <p class=3DMsoNormal
> style=3D'text-autospace:none'><font size=3D2 =
> face=3DArial><span
> style=3D'font-size:10.0pt;font-family:Arial'>How do
> I simultaneously =
> read a
> tcpdump file and output this same file to csv (for
> Excel =
> use)?<o:p></o:p></span></font></p>
>
> <p class=3DMsoNormal
> style=3D'text-autospace:none'><font size=3D2 =
> face=3DArial><span
style=3D'font-size:10.0pt;font-family:Arial'><o:p>&nbsp;</o:p></span></fo=
> nt></p>
>
> <p class=3DMsoNormal
> style=3D'text-autospace:none'><font size=3D2 =
> face=3DArial><span
> style=3D'font-size:10.0pt;font-family:Arial'>I can
> read the tcpdump =
> file<o:p></o:p></span></font></p>
>
> <p class=3DMsoNormal
> style=3D'text-autospace:none'><font size=3D2 =
> face=3DArial><span
style=3D'font-size:10.0pt;font-family:Arial'>F:\snort\bin&gt;snort
> =
> -r&nbsp; file.pcap <o:p></o:p></span></font></p>
>
> <p class=3DMsoNormal
> style=3D'text-autospace:none'><font size=3D2 =
> face=3DArial><span
style=3D'font-size:10.0pt;font-family:Arial'><o:p>&nbsp;</o:p></span></fo=
> nt></p>
>
> <p class=3DMsoNormal
> style=3D'text-autospace:none'><font size=3D2 =
> face=3DArial><span
> style=3D'font-size:10.0pt;font-family:Arial'>and I
> have added the =
> following to
> snort.conf<o:p></o:p></span></font></p>
>
> <p class=3DMsoNormal
> style=3D'text-autospace:none'><font size=3D2 =
> face=3DArial><span
> style=3D'font-size:10.0pt;font-family:Arial'>output
> alert_CSV:
> F:\Snort\log\alert.csv =
timestamp,msg,proto,src,srcport,dst,dstport<o:p></o:p></span></font></p>
> <p class=3DMsoNormal
> style=3D'text-autospace:none'><font size=3D2 =
> face=3DArial><span
style=3D'font-size:10.0pt;font-family:Arial'><o:p>&nbsp;</o:p></span></fo=
> nt></p>
>
> <p class=3DMsoNormal
> style=3D'text-autospace:none'><font size=3D2 =
> face=3DArial><span
style=3D'font-size:10.0pt;font-family:Arial'><o:p>&nbsp;</o:p></span></fo=
> nt></p>
>
> <p class=3DMsoNormal
> style=3D'text-autospace:none'><font size=3D2 =
> face=3DArial><span
style=3D'font-size:10.0pt;font-family:Arial'>However,
> How do I combine =
> both
> actions at once?<o:p></o:p></span></font></p>
>
> <p class=3DMsoNormal
> style=3D'text-autospace:none'><font size=3D2 =
> face=3DArial><span
style=3D'font-size:10.0pt;font-family:Arial'><o:p>&nbsp;</o:p></span></fo=
> nt></p>
>
> <p class=3DMsoNormal
> style=3D'text-autospace:none'><font size=3D2 =
> face=3DArial><span
> style=3D'font-size:10.0pt;font-family:Arial'>When I
> run =
> F:\snort\bin&gt;snort -r&nbsp;
> file.pcap&nbsp; a csv file never =
> materializes.<o:p></o:p></span></font></p>
>
> <p class=3DMsoNormal
> style=3D'text-autospace:none'><font size=3D2 =
> face=3DArial><span
style=3D'font-size:10.0pt;font-family:Arial'><o:p>&nbsp;</o:p></span></fo=
> nt></p>
>
> <p class=3DMsoNormal
> style=3D'text-autospace:none'><font size=3D2 =
> face=3DArial><span
> style=3D'font-size:10.0pt;font-family:Arial'>I've
> read through several =
> email
> archives, and did not quite see this issue, and
> tried a few things from =
> answers
> to other questions with no
> luck.<o:p></o:p></span></font></p>
>
> <p class=3DMsoNormal
> style=3D'text-autospace:none'><font size=3D2 =
> face=3DArial><span
style=3D'font-size:10.0pt;font-family:Arial'>Thanks<o:p></o:p></span></fo=
> nt></p>
>
> <p class=3DMsoNormal><font size=3D2
> face=3DArial><span =
> style=3D'font-size:10.0pt;
font-family:Arial'>-neil<o:p></o:p></span></font></p>
> </div>
>
> </body>
>
> </html>
>
> ------=_NextPart_000_0000_01C52277.AC14E3F0--
>
>
>
> --__--__--
>
> Message: 3
> Date: Sun, 06 Mar 2005 19:29:05 -0500
> From: Jason <security () brvenik com>
> To: Neil <nro () ix netcom com>
> CC:  snort-users () lists sourceforge net
> Subject: Re: [Snort-users] take a .pcap file and
> convert to .csv file
>
> if you are doing this offline and you want every
> packet to create a line 
> then you need a rule like follows as your only rule
>
> alert ip any any -> any any (msg:"Insane logs";
> sid:3000000; rev:1)
>
> There are likely better tools for creating a cvs
> file with header 
> information but it will work.
>
> Neil wrote:
> > snort users list:
> >
> >  
> >
> > I am new to snort.
> >
> > I am running snort on a windows XP box (sorry my
> *nix boxes are 
> > currently offline).
> >
> > How do I simultaneously read a tcpdump file and
> output this same file to 
> > csv (for Excel use)?
> >
> >  
> >
> > I can read the tcpdump file
> >
> > F:\snort\bin>snort -r  file.pcap
> >
> >  
> >
> > and I have added the following to snort.conf
> >
> > output alert_CSV: F:\Snort\log\alert.csv 
> > timestamp,msg,proto,src,srcport,dst,dstport
> >
> >  
> >
> >  
> >
> > However, How do I combine both actions at once?
> >
> >  
> >
> > When I run F:\snort\bin>snort -r  file.pcap  a csv
> file never materializes.
> >  
> >
> > I've read through several email archives, and did
> not quite see this 
> > issue, and tried a few things from answers to
> other questions with no luck.
> > Thanks
> >
> > -neil
>
>
> --__--__--
>
> Message: 4
> Date: Sun, 6 Mar 2005 21:49:28 -0500
> From: Jason Benway <benwaynet () gmail com>
> Reply-To: Jason Benway <benwaynet () gmail com>
> To: snort-users () lists sourceforge net
> Subject: [Snort-users] error starting snort
>
> I started trying to update the snort rules using
> oinkmaster
> Before I started updating the rules everything was
> working.
> I have all my rules in /etc/snort/rules
> I did try adding the bleeding snort rules, but I've
> commented them out
> and I'm still getting the error.
>
> But now I get
> ERROR: ./snort.conf(289) => Unable to open the IIS
> Unicode Map file
> './unicode.map'.
> Fatal Error, Quitting..
>
> thanks,jb
>
>
>
> --__--__--
>
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-users
> End of Snort-users Digest



        
                
__________________________________ 
Celebrate Yahoo!'s 10th Birthday! 
Yahoo! Netrospective: 100 Moments of the Web 
http://birthday.yahoo.com/netrospective/


-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users