Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: problems with PP

From: "Michael Steele" <michaels () winsnort com>
Date: Fri, 14 Sep 2012 09:58:03 -0400
Look inside the pulledpork.pl file for the switches. Use the -n switch for
local delivery of rules. There is a little more to it than that. Scan the
Snort mail archives for more information.

 

Every time the user touches the rules PP need to be re-ran, and I believe PP
has to complete the full process every time.

 

Michael...

 

From: Pratik Narang [mailto:pratik.cse.bits () gmail com] 
Sent: Friday, September 14, 2012 9:44 AM
To: snort-users () lists sourceforge net
Subject: Re: [Snort-users] problems with PP

 

Sorry for the trouble guys, the problem is resolved- I did not run PP after
making changes to the disablesid file!!

But this throws up another problem- I run Snort on a system which receives a
netflow (or is it IPFIX?) and hence is not connected to the internet. But
whenver PP starts, it tries to connect to the internet to look for new
rules. Any suggestions for a work-around for this? It is not vey neat to
keep plugging the neighboring system's ethernet cable to connect to the
internet and run PP for every single rule I wish to add to
enablesid.conf/disablesid.conf etc. Cant I make PP just do these 'local
tasks' and not let it check for new rules? :)

On Fri, Sep 14, 2012 at 7:00 PM, Pratik Narang <pratik.cse.bits () gmail com>
wrote:

I enabled the 'security' policy via PP and have been getting these kinds of
alerts by the dozen :

 

09/14-18:55:28.774651  [**] [1:16282:3] PUA-P2P Bittorrent uTP peer request
[**] [Classification: Potential Corporate Privacy Violation] [Priority: 1]
{UDP} 172.16.39.102:23943 -> 172.16.100.107:60294

09/14-18:55:28.774654  [**] [1:16282:3] PUA-P2P Bittorrent uTP peer request
[**] [Classification: Potential Corporate Privacy Violation] [Priority: 1]
{UDP} 172.16.39.102:23-943 -> 172.16.100.107:60294

09/14-18:55:28.774656  [**] [1:16282:3] PUA-P2P Bittorrent uTP peer request
[**] [Classification: Potential Corporate Privacy Violation] [Priority: 1]
{UDP} 172.16.39.102:23943 -> 172.16.100.107:60294

09/14-18:55:28.774692  [**] [1:16282:3] PUA-P2P Bittorrent uTP peer request
[**] [Classification: Potential Corporate Privacy Violation] [Priority: 1]
{UDP} 172.16.39.102:23943 -> 172.16.100.107:60294

 

I put that sig id into my disablesid.conf, but i continue to get the alerts.
What could be wrong here? What is the correct way of putting the sids-
16282, 1:16282, or 1:16282:3 ?

I also tried putting the category 'VRT-p2p' in disablesid.conf, but no avail
:(

 


------------------------------------------------------------------------------
Got visibility?
Most devs has no idea what their production app looks like.
Find out how fast your code is with AppDynamics Lite.
http://ad.doubleclick.net/clk;262219671;13503038;y?
http://info.appdynamics.com/FreeJavaPerformanceDownload.html
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: