Re: Snort running inline but not functioning as IPS

[mlists () robin-kipp net]

Hi James,
thanks for that!
I used pulledpork's dropsid.conf file and specified rule SID 136:1, 
which is the reputation-based rule for IP blacklisting. After running 
pulledpork to reprocess those rules and reloading snort, it really looks 
like Snort is now dropping traffic with those IPs as source or 
destination!
So, many thanks for putting me on the right track here, now I just have 
to figure out how to switch rules to 'drop' state on a wider range, e.g. 
without explicitly specifying single SIDs or SID ranges.
Best regards,
Robin
Am 2016-01-22 00:26, schrieb James Lay:
> On 2016-01-21 16:19, Robin Kipp wrote:
>
> > Hi James,
> >
> > > Am 21.01.2016 um 22:59 schrieb James Lay
> > > <jlay () slave-tothe-box net>:
> >
> > > Do you have any rules that say "drop" instead of "alert"?
> >
> > Well, I'm honestly not sure! I haven't really done anything with the
> > rules yet, as I wanted to get basic functionality working and then
> > start to get more into the details... I'm using pulledpork to update
> > my rules, using the registered ruleset provided by Talos and the
> > free one provided by EmergingThreatsPro.
> > All my rules are stored in one file, snort.rules. After briefly
> > looking at that file, I just took a shot in the dark by running:
> >
> > grep "drop tcp" /var/snort/rules/snort.rules
> > which gave me no output whatsoever. On the other hand, the command
> >
> > grep „alert tcp" /var/snort/rules/snort.rules
> > returned loads of results, I eventually aborted the command.
> > So, I guess that means I currently don't have any drop rules active,
> > at least as far as I can tell. So, what would be the best way for me
> > to change that? Is there any way to automatically enforce some rules
> > based on severity or any other criteria, or what's the preferred
> > way?
> > I suppose if I manually changed some rules in the snort.rules file,
> > then pulledpork would probably overwrite those changes with the next
> > upgrade. Would that be true?
> > Thanks a lot for any further help!
> > Best regards,
> > Robin
>
> Ah...well there you have it then. Change a rule or two from alert to
> drop and then restart and test.
>
> James


------------------------------------------------------------------------------
Site24x7 APM Insight: Get Deep Visibility into Application Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective actions now
Troubleshoot faster and improve end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!