Snort mailing list archives

Re: (no subject)

From: Dave Venman <dvenman () sourcefire com>
Date: Fri, 4 Mar 2011 06:10:54 +0000

Rather than suppress it, why not use flowbits:noalert - that's what is was
designed for ?

On 4 March 2011 00:49, Jefferson, Shawn <Shawn.Jefferson () bcferries com>wrote:

Makes perfect sense, and what I've done to address the issue you raised at
the end of your email, is keep the flowbits:set rule enabled, but create a
suppress statement for it.

PS. And I'm excited to see the new features!

-----Original Message-----
From: JJC [mailto:cummingsj () gmail com]
Sent: Thursday, March 03, 2011 4:44 PM
To: Jefferson, Shawn
Cc: Jason Wallace; wkitty42 () windstream net;
snort-users () lists sourceforge net
Subject: Re: [Snort-users] (no subject)

To address this, the logic behind PP does just what Jason had said...
if you have rules that are looking for flowbits:isset values, it enables
the respective, and required, flowbits:set values.

Further, if you have specified a flowbits:set rule to be explicitly
disabled in the disablesid.conf section and PP needs to automatically
re-enable that due to it being a dependency of other rules, it will do so..
and Shawn, to address your concern.. that was a feature request that has
been added to the current version that can be found in the svn repo.  I
anticipate having a release out soon, it contains numerous bug-fixes and
feature enhancements.. I'm just waiting on some code commits to complete.

Consider this logic re: flowbit auto re-enabling:

I have 3 critical rules that look for current 0-day type traffic..
they all contain flowbits:isset,this.foo; and you disabled the rule that
contains flowbits:set,this.foo; because it was generating an event like
"POLICY this schmuck downloaded tha foo!" and you did not want to see that.
 By disabling, and subsequently not re-enabling the rule containing
flowbits:set,this.foo; you would be silently disabling the other 3 critical
rules that relied on that flowbit, make sense?

JJC

------------------------------------------------------------------------------
What You Don't Know About Data Connectivity CAN Hurt You
This paper provides an overview of data connectivity, details
its effect on application quality, and explores various alternative
solutions. http://p.sf.net/sfu/progress-d2d
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users




-- 
Dave Venman, CISSP
Security Engineer Manager, Sourcefire EMEA
Email:   dave.venman () sourcefire com
Mobile: +44 (7917) 168068
DDI:     +44 (118) 989 8412
Fax:     +44 (118) 989 8401

------------------------------------------------------------------------------
What You Don't Know About Data Connectivity CAN Hurt You
This paper provides an overview of data connectivity, details
its effect on application quality, and explores various alternative
solutions. http://p.sf.net/sfu/progress-d2d

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

(no subject) sasa susmanto (Mar 01)
- Re: (no subject) Joel Esler (Mar 01)
  - Re: (no subject) Alan Ptak (Mar 02)
    - Re: (no subject) waldo kitty (Mar 02)
    - Re: (no subject) Jason Wallace (Mar 03)
    - Re: (no subject) Jefferson, Shawn (Mar 03)
    - Re: (no subject) JJC (Mar 03)
    - Re: (no subject) Jefferson, Shawn (Mar 03)
    - Re: (no subject) Dave Venman (Mar 03)
    - Re: (no subject) Joel Esler (Mar 04)
- Re: (no subject) JJC (Mar 01)
- <Possible follow-ups>
- (no subject) sasa susmanto (Mar 02)
  - Re: (no subject) Alan Ptak (Mar 02)