Snort mailing list archives

Re: Using pulled pork to change rule state from alert to drop for a policy type

From: Tony Robinson <deusexmachina667 () gmail com>
Date: Wed, 27 Mar 2013 16:53:04 -0400

I know it's a little bit delayed (I've been insanely busy these days), but
I wanted to let you all know that I appreciate the feedback.

On Mon, Mar 25, 2013 at 12:19 PM, waldo kitty <wkitty42 () windstream net>wrote:

On 3/24/2013 12:41, Tony Robinson wrote:

5. Modify your snort rules to drop traffic in inline mode.

My question revolves around 5. I'm well aware that pulled pork, via
dropsid.conf, can be used to change alert rules to drop rules. I'm

worried about

haphazardly changing all the rules in my snort.rules file to DROP ALL

THE THINGS.

there's two (2) camps to this particular question...

1. are you running the novell netmail server (mentioned in next quoted
paragraph) on your network? is it patched up to date and is fixed for this
specific flaw? if the answer is "yes", then you don't need to run this
rule, do
you? for one thing, not loading this rule will lower snort's memory
footprint as
well as increasing snort's processing speed since it doesn't have to
process the
rule. so run only those rules that pertain to your network and the
equipment and
servers allowed to run on it...

2. i'm kinda in the other camp... if someone is sending bad data to my
system, i
want to know about it... don't shake (test) the door knob on my front door
to
see if it is opened for you to just walk in... if you try to connect to
mssql on
my network from outside my network, i want to know about it... a) there's
no
reason for someone outside my network to try to connect to any sql servers
there
may be on my network, b) sql servers should not face the world wild whirl
and c)
how would you know there was a server there unless you've been probing and
hunting for holes in which case, you are definitely up to no good and will
be
blocked...

What I would like to do: If I see a rule with policy metadata that

recommends

the rule be set to drop, I want to change that rule from alert to drop.

Let's

pick on sid 1:10011 -- SERVER-MAIL Novell NetMail APPEND command buffer

overflow

attempt, just to illustrate what I'm trying to do.


see above camp 1 unless you are in camp 2 ;)

It has the line "metadata:policy security-ips drop" indicating that: "If

the

user is using a security over connectivity ruleset, this would make a

good drop

rule in that rule policy configuration."


ok...

If I am using a given rule policy configuration in pulled pork (balanced,
connectivity or security), and I see a rule with metadata that indicates

a given

rule would make a good drop rule for that policy ruleset (metadata:

policy

balanced-ips || policy connectivity-ips || policy security-ips)  , I

want to use

pulledpork to change it to a drop rule. Is there an effective way to do

this?


If there is not, I think this would make for an awesome feature request

in PP.

i'll let others speak on this since i don't (yet) use pulledpork... i
don't yet
know how i would do it in my package but i have a rough idea... if PP
doesn't
have it, i agree that it would be a nice feature...


------------------------------------------------------------------------------
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_d2d_mar
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest
Snort news!




-- 
when does reality end? when does fantasy begin?

------------------------------------------------------------------------------
Own the Future-Intel&reg; Level Up Game Demo Contest 2013
Rise to greatness in Intel's independent game demo contest.
Compete for recognition, cash, and the chance to get your game 
on Steam. $5K grand prize plus 10 genre and skill prizes. 
Submit your demo by 6/6/13. http://p.sf.net/sfu/intel_levelupd2d

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Current thread:

Using pulled pork to change rule state from alert to drop for a policy type Tony Robinson (Mar 24)
- Re: Using pulled pork to change rule state from alert to drop for a policy type Joel Esler (Mar 24)
- Re: Using pulled pork to change rule state from alert to drop for a policy type Yossi Nachum (Mar 25)
  - Re: Using pulled pork to change rule state from alert to drop for a policy type JJC (Mar 25)
- Re: Using pulled pork to change rule state from alert to drop for a policy type waldo kitty (Mar 25)
  - Re: Using pulled pork to change rule state from alert to drop for a policy type Tony Robinson (Mar 27)