Snort mailing list archives
Re: problems with PP
From: "Michael Steele" <michaels () winsnort com>
Date: Fri, 14 Sep 2012 09:58:03 -0400
Look inside the pulledpork.pl file for the switches. Use the -n switch for local delivery of rules. There is a little more to it than that. Scan the Snort mail archives for more information. Every time the user touches the rules PP need to be re-ran, and I believe PP has to complete the full process every time. Michael... From: Pratik Narang [mailto:pratik.cse.bits () gmail com] Sent: Friday, September 14, 2012 9:44 AM To: snort-users () lists sourceforge net Subject: Re: [Snort-users] problems with PP Sorry for the trouble guys, the problem is resolved- I did not run PP after making changes to the disablesid file!! But this throws up another problem- I run Snort on a system which receives a netflow (or is it IPFIX?) and hence is not connected to the internet. But whenver PP starts, it tries to connect to the internet to look for new rules. Any suggestions for a work-around for this? It is not vey neat to keep plugging the neighboring system's ethernet cable to connect to the internet and run PP for every single rule I wish to add to enablesid.conf/disablesid.conf etc. Cant I make PP just do these 'local tasks' and not let it check for new rules? :) On Fri, Sep 14, 2012 at 7:00 PM, Pratik Narang <pratik.cse.bits () gmail com> wrote: I enabled the 'security' policy via PP and have been getting these kinds of alerts by the dozen : 09/14-18:55:28.774651 [**] [1:16282:3] PUA-P2P Bittorrent uTP peer request [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {UDP} 172.16.39.102:23943 -> 172.16.100.107:60294 09/14-18:55:28.774654 [**] [1:16282:3] PUA-P2P Bittorrent uTP peer request [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {UDP} 172.16.39.102:23-943 -> 172.16.100.107:60294 09/14-18:55:28.774656 [**] [1:16282:3] PUA-P2P Bittorrent uTP peer request [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {UDP} 172.16.39.102:23943 -> 172.16.100.107:60294 09/14-18:55:28.774692 [**] [1:16282:3] PUA-P2P Bittorrent uTP peer request [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {UDP} 172.16.39.102:23943 -> 172.16.100.107:60294 I put that sig id into my disablesid.conf, but i continue to get the alerts. What could be wrong here? What is the correct way of putting the sids- 16282, 1:16282, or 1:16282:3 ? I also tried putting the category 'VRT-p2p' in disablesid.conf, but no avail :(
------------------------------------------------------------------------------ Got visibility? Most devs has no idea what their production app looks like. Find out how fast your code is with AppDynamics Lite. http://ad.doubleclick.net/clk;262219671;13503038;y? http://info.appdynamics.com/FreeJavaPerformanceDownload.html
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- problems with PP Pratik Narang (Sep 14)
- Re: problems with PP Pratik Narang (Sep 14)
- Re: problems with PP Joel Esler (Sep 14)
- Re: problems with PP Peter Bates (Sep 14)
- Re: problems with PP Michael Steele (Sep 14)
- Re: problems with PP Joel Esler (Sep 14)
- <Possible follow-ups>
- Re: problems with PP Michael Steele (Sep 14)
- Re: problems with PP Pratik Narang (Sep 14)