Re: problems with PP

[Joel Esler <jesler () sourcefire com>]

Yes, there is an option to make Pulledpork only process locally.  I suggest a quick read of --help when you start 
pulledpork.

Thanks

--
Joel Esler
Senior Research Engineer, VRT
OpenSource Community Manager
Sourcefire

On Sep 14, 2012, at 9:43 AM, Pratik Narang <pratik.cse.bits () gmail com> wrote:

> Sorry for the trouble guys, the problem is resolved- I did not run PP after making changes to the disablesid file!!
> But this throws up another problem- I run Snort on a system which receives a netflow (or is it IPFIX?) and hence is 
> not connected to the internet. But whenver PP starts, it tries to connect to the internet to look for new rules. Any 
> suggestions for a work-around for this? It is not vey neat to keep plugging the neighboring system's ethernet cable 
> to connect to the internet and run PP for every single rule I wish to add to enablesid.conf/disablesid.conf etc. Cant 
> I make PP just do these 'local tasks' and not let it check for new rules? :)
>
> On Fri, Sep 14, 2012 at 7:00 PM, Pratik Narang <pratik.cse.bits () gmail com> wrote:
> I enabled the 'security' policy via PP and have been getting these kinds of alerts by the dozen :
>
> 09/14-18:55:28.774651  [**] [1:16282:3] PUA-P2P Bittorrent uTP peer request  [**] [Classification: Potential 
> Corporate Privacy Violation] [Priority: 1] {UDP} 172.16.39.102:23943 -> 172.16.100.107:60294
> 09/14-18:55:28.774654  [**] [1:16282:3] PUA-P2P Bittorrent uTP peer request  [**] [Classification: Potential 
> Corporate Privacy Violation] [Priority: 1] {UDP} 172.16.39.102:23-943 -> 172.16.100.107:60294
> 09/14-18:55:28.774656  [**] [1:16282:3] PUA-P2P Bittorrent uTP peer request  [**] [Classification: Potential 
> Corporate Privacy Violation] [Priority: 1] {UDP} 172.16.39.102:23943 -> 172.16.100.107:60294
> 09/14-18:55:28.774692  [**] [1:16282:3] PUA-P2P Bittorrent uTP peer request  [**] [Classification: Potential 
> Corporate Privacy Violation] [Priority: 1] {UDP} 172.16.39.102:23943 -> 172.16.100.107:60294
>
> I put that sig id into my disablesid.conf, but i continue to get the alerts. What could be wrong here? What is the 
> correct way of putting the sids- 16282, 1:16282, or 1:16282:3 ?
> I also tried putting the category 'VRT-p2p' in disablesid.conf, but no avail :(
>
> ------------------------------------------------------------------------------
> Got visibility?
> Most devs has no idea what their production app looks like.
> Find out how fast your code is with AppDynamics Lite.
> http://ad.doubleclick.net/clk;262219671;13503038;y?
> http://info.appdynamics.com/FreeJavaPerformanceDownload.html_______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest Snort news!

------------------------------------------------------------------------------
Got visibility?
Most devs has no idea what their production app looks like.
Find out how fast your code is with AppDynamics Lite.
http://ad.doubleclick.net/clk;262219671;13503038;y?
http://info.appdynamics.com/FreeJavaPerformanceDownload.html

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!