Snort mailing list archives
Re: Snort running inline but not functioning as IPS
From: Robin Kipp <mlists () robin-kipp net>
Date: Wed, 27 Jan 2016 17:29:35 +0100
Hi YM,
thanks for the response!
Considering your comment and the blog post you linked to, I decided to try and „drop“ the rules in the „balanced“
ruleset in some other way.
So, I added the following to my dropsid.conf:
pcre:balanced-ips\ drop
Afterwards I reprocessed the rules, now the stats look very different!
Rule Stats...
New:-------0
Deleted:---0
Enabled Rules:----430
Dropped Rules:----6651
Disabled Rules:---20870
Total Rules:------27951
IP Blacklist Stats...
Total IPs:——19676
At this point I haven’t had a chance to take a closer look at whether or not those dropped rules are all the ones in
the balanced ruleset.
After restarting Snort, I realized that I still wasn’t getting any alerts. So, at this point I went back to my
pulledpork.conf and commented out the ips_policy statement.
After reprocessing, I saw that the rule stats still looked the same, so no differences in the number of enabled and
dropped rules. I then restarted Snort once again and guess what, my alerts are back!
To summarize, the ips_policy option in pulledpork.conf is now disabled, only thing I have is that regular expression in
my dropsid.conf. That then dropped most rules and enabled some others.
As I have to go soon I’m currently not able to conduct extensive vulnerability scans and exploit tests, but will do so
later on today. I will just let Snort run for a while at this point to see what it will capture, but I really, really
hope that with this modification it will behave as expected.
If you have any comments about the changes I made or any other suggestions, please feel free to share them with me!
Thanks a lot for all the great help!
Best regards,
Robin------------------------------------------------------------------------------ Site24x7 APM Insight: Get Deep Visibility into Application Performance APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month Monitor end-to-end web transactions and take corrective actions now Troubleshoot faster and improve end-user experience. Signup Now! http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Re: Snort running inline but not functioning as IPS, (continued)
- Re: Snort running inline but not functioning as IPS Robin Kipp (Jan 23)
- Re: Snort running inline but not functioning as IPS Joel Esler (jesler) (Jan 23)
- Re: Snort running inline but not functioning as IPS Robin Kipp (Jan 24)
- Re: Snort running inline but not functioning as IPS Y M (Jan 24)
- Re: Snort running inline but not functioning as IPS Robin Kipp (Jan 24)
- Re: Snort running inline but not functioning as IPS Y M (Jan 24)
- Re: Snort running inline but not functioning as IPS Robin Kipp (Jan 26)
- Re: Snort running inline but not functioning as IPS Y M (Jan 27)
- Re: Snort running inline but not functioning as IPS Robin Kipp (Jan 27)
- Re: Snort running inline but not functioning as IPS Y M (Jan 27)
- Re: Snort running inline but not functioning as IPS Robin Kipp (Jan 27)