Snort mailing list archives
Re: proper metadata use?
From: Will Metcalf <william.metcalf () gmail com>
Date: Wed, 28 Apr 2010 23:36:14 -0500
sure, I just thought maybe this wasn't the proper metadata tag for these rules, if people started to leverage this to build drop rule-sets using pulled-pork, oinkmaster or whatever. Regards, Will On Tue, Apr 27, 2010 at 7:04 PM, JJ Cummings <cummingsj () gmail com> wrote:
Will, certainly a valid concern.... Currently pulledpork does not set rules automatically to a "drop" state... But rather alert only... The user must specify to pulledpork what rules that they want to set as drop, using the dropsid configuration option... HTH JJC Sent from the iRoad On Apr 27, 2010, at 17:37, Will Metcalf <william.metcalf () gmail com> wrote:Is the metadata policy for all of these rules correct? If people start using pulled-pork for policy drop stuff... or maybe I'm mis-understanding the meaning of this metadata tag. grep "security-ips drop" *.rules | grep "flowbits\:\s*noalert" Looks like it would end up in a lot of traffic that is being used for protocol decode. It is generally a bad idea to mix drop and flowbits:noalert as valid traffic ends up getting dropped and the users have no idea why. Just my 2 cents.... Regards, Will ------------------------------------------------------------------------------ _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs
------------------------------------------------------------------------------ _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs
Current thread:
- proper metadata use? Will Metcalf (Apr 27)
- Re: proper metadata use? JJ Cummings (Apr 27)
- Re: proper metadata use? Will Metcalf (Apr 28)
- Re: proper metadata use? JJ Cummings (Apr 27)