Snort mailing list archives

Re: problems with PP

From: Joel Esler <jesler () sourcefire com>
Date: Fri, 14 Sep 2012 09:52:37 -0400

You don't have to stop Snort to run pulledpork.

You can run it, then restart Snort, to minimize downtime.  Or, make it reload the ruleset while running.

On Sep 14, 2012, at 9:47 AM, "Michael Steele" <michaels () winsnort com> wrote:

Anything rule affiliated that is changed, PP has to be re-ran in order to update.
 
The  process: Stop Snort, Run PP, Start Snort
 
Michael...
 
From: Pratik Narang [mailto:pratik.cse.bits () gmail com] 
Sent: Friday, September 14, 2012 9:30 AM
To: snort-users () lists sourceforge net
Subject: [Snort-users] problems with PP
 
I enabled the 'security' policy via PP and have been getting these kinds of alerts by the dozen :
 
09/14-18:55:28.774651  [**] [1:16282:3] PUA-P2P Bittorrent uTP peer request  [**] [Classification: Potential 
Corporate Privacy Violation] [Priority: 1] {UDP} 172.16.39.102:23943 -> 172.16.100.107:60294
09/14-18:55:28.774654  [**] [1:16282:3] PUA-P2P Bittorrent uTP peer request  [**] [Classification: Potential 
Corporate Privacy Violation] [Priority: 1] {UDP} 172.16.39.102:23-943 -> 172.16.100.107:60294
09/14-18:55:28.774656  [**] [1:16282:3] PUA-P2P Bittorrent uTP peer request  [**] [Classification: Potential 
Corporate Privacy Violation] [Priority: 1] {UDP} 172.16.39.102:23943 -> 172.16.100.107:60294
09/14-18:55:28.774692  [**] [1:16282:3] PUA-P2P Bittorrent uTP peer request  [**] [Classification: Potential 
Corporate Privacy Violation] [Priority: 1] {UDP} 172.16.39.102:23943 -> 172.16.100.107:60294
 
I put that sig id into my disablesid.conf, but i continue to get the alerts. What could be wrong here? What is the 
correct way of putting the sids- 16282, 1:16282, or 1:16282:3 ?
I also tried putting the category 'VRT-p2p' in disablesid.conf, but no avail :(
------------------------------------------------------------------------------
Got visibility?
Most devs has no idea what their production app looks like.
Find out how fast your code is with AppDynamics Lite.
http://ad.doubleclick.net/clk;262219671;13503038;y?
http://info.appdynamics.com/FreeJavaPerformanceDownload.html_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

------------------------------------------------------------------------------
Got visibility?
Most devs has no idea what their production app looks like.
Find out how fast your code is with AppDynamics Lite.
http://ad.doubleclick.net/clk;262219671;13503038;y?
http://info.appdynamics.com/FreeJavaPerformanceDownload.html

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Current thread:

problems with PP Pratik Narang (Sep 14)
- Re: problems with PP Pratik Narang (Sep 14)
  - Re: problems with PP Joel Esler (Sep 14)
- Re: problems with PP Peter Bates (Sep 14)
- Re: problems with PP Michael Steele (Sep 14)
  - Re: problems with PP Joel Esler (Sep 14)
- <Possible follow-ups>
- Re: problems with PP Michael Steele (Sep 14)