Snort mailing list archives
Re: Modifying Rules Works One Direction, but Not T'Other
From: "Joel Esler (jesler)" <jesler () cisco com>
Date: Sat, 29 Nov 2014 19:29:50 +0000
-- Joel Esler Sent from my iPhone On Nov 29, 2014, at 2:09 PM, colony.three <colony.three () protonmail ch<mailto:colony.three () protonmail ch>> wrote: I've found that the current SecurityOnion has some serious problems. It does not even -define-: EXTERNAL_NET HOME_NET HTTP_PORTS ... for some reason. And these are mandatory for the GPL Emerging Threats rules. These should be defined in any network setup. I can't report the problems because SO requires G**gle Groups, and I'm not signing up for that. Further, it's looking like the GPL Emerging Threats rules may not be well-written, which are installed by SecurityOnion. What is going on with that? Emerging threats rules generally serve a different purpose than the Snort Subscriber Rule Set. We recommend you use rules that are important to your network -------- Original Message -------- Subject: Re: [Snort-users] Modifying Rules Works One Direction, but Not T'Other Time (GMT): Nov 29 2014 15:50:42 From: joel.esler () me com<mailto:joel.esler () me com> To: colony.three () protonmail ch<mailto:colony.three () protonmail ch> CC: snort-users () lists sourceforge net<mailto:snort-users () lists sourceforge net> How about a “pass udp $EXTERNAL_NET any <> 192.168.1.7 any” rule?
On Nov 27, 2014, at 11:00 PM, colony.three wrote: On 11/27/2014 7:22 PM, colony.three wrote:alert udp $EXTERNAL_NET any <> !192.168.1.7 any (msg:"ET TOR Known Tori'm not surprised... you've told snort to alert on all udp traffic in either direction that's not for 192.168.1.7... so all traffic from all other machines will raise an alert... Fine. I -want- traffic on all other machines to raise an alert. 192.168.1.7 is the only one running TOR traffic and I want that one to shut up. But it is still alerting on 192.168.1.7 only, as I say. All my other rules are working. And this one worked for one direction but I can't shut up both directions because it dumps out when it finds a rule match. I am stuck on what to do about this. To me, the way I have the rule crafted, I believe should stop alerts both directions for 192.168.1.7. Snort seems to be misbehaving. But then I only started learning Snort 3 days ago. ------------------------------------------------------------------------------ Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server from Actuate! Instantly Supercharge Your Business Reports and Dashboards with Interactivity, Sharing, Native Excel Exports, App Integration & more Get technology previously reserved for billion-dollar corporations, FREE http://pubads.g.doubleclick.net/gampad/clk?id=157005751&iu=/4140/ostg.clktrk________________________...<http://pubads.g.doubleclick.net/gampad/clk?id=157005751&iu=/4140/ostg.clktrk_______________________________________________> Snort-users mailing list Snort-users () lists sourceforge net<mailto:Snort-users () lists sourceforge net> Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------ Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server from Actuate! Instantly Supercharge Your Business Reports and Dashboards with Interactivity, Sharing, Native Excel Exports, App Integration & more Get technology previously reserved for billion-dollar corporations, FREE http://pubads.g.doubleclick.net/gampad/clk?id=157005751&iu=/4140/ostg.clktrk
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Re: Modifying Rules Works One Direction, but Not T'Other colony.three (Nov 27)
- <Possible follow-ups>
- Re: Modifying Rules Works One Direction, but Not T'Other colony.three (Nov 27)
- Re: Modifying Rules Works One Direction, but Not T'Other colony.three (Nov 29)
- Re: Modifying Rules Works One Direction, but Not T'Other Joel Esler (jesler) (Nov 29)
- Re: Modifying Rules Works One Direction, but Not T'Other Doug Burks (Nov 29)
- Re: Modifying Rules Works One Direction, but Not T'Other colony.three (Nov 29)
- Re: Modifying Rules Works One Direction, but Not T'Other Doug Burks (Nov 29)
- Re: Modifying Rules Works One Direction, but Not T'Other colony.three (Nov 29)
- Re: Modifying Rules Works One Direction, but Not T'Other Doug Burks (Nov 29)
- Re: Modifying Rules Works One Direction, but Not T'Other colony.three (Nov 29)
- Re: Modifying Rules Works One Direction, but Not T'Other Doug Burks (Nov 29)
- Re: Modifying Rules Works One Direction, but Not T'Other colony.three (Nov 29)
- Re: Modifying Rules Works One Direction, but Not T'Other Doug Burks (Nov 29)
- Re: Modifying Rules Works One Direction, but Not T'Other colony.three (Nov 29)
(Thread continues...)