Snort mailing list archives
Re: Snort running inline but not functioning as IPS
From: Robin Kipp <mlists () robin-kipp net>
Date: Wed, 27 Jan 2016 17:29:35 +0100
Hi YM, thanks for the response! Considering your comment and the blog post you linked to, I decided to try and „drop“ the rules in the „balanced“ ruleset in some other way. So, I added the following to my dropsid.conf: pcre:balanced-ips\ drop Afterwards I reprocessed the rules, now the stats look very different! Rule Stats... New:-------0 Deleted:---0 Enabled Rules:----430 Dropped Rules:----6651 Disabled Rules:---20870 Total Rules:------27951 IP Blacklist Stats... Total IPs:——19676 At this point I haven’t had a chance to take a closer look at whether or not those dropped rules are all the ones in the balanced ruleset. After restarting Snort, I realized that I still wasn’t getting any alerts. So, at this point I went back to my pulledpork.conf and commented out the ips_policy statement. After reprocessing, I saw that the rule stats still looked the same, so no differences in the number of enabled and dropped rules. I then restarted Snort once again and guess what, my alerts are back! To summarize, the ips_policy option in pulledpork.conf is now disabled, only thing I have is that regular expression in my dropsid.conf. That then dropped most rules and enabled some others. As I have to go soon I’m currently not able to conduct extensive vulnerability scans and exploit tests, but will do so later on today. I will just let Snort run for a while at this point to see what it will capture, but I really, really hope that with this modification it will behave as expected. If you have any comments about the changes I made or any other suggestions, please feel free to share them with me! Thanks a lot for all the great help! Best regards, Robin
------------------------------------------------------------------------------ Site24x7 APM Insight: Get Deep Visibility into Application Performance APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month Monitor end-to-end web transactions and take corrective actions now Troubleshoot faster and improve end-user experience. Signup Now! http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Re: Snort running inline but not functioning as IPS, (continued)
- Re: Snort running inline but not functioning as IPS Robin Kipp (Jan 23)
- Re: Snort running inline but not functioning as IPS Joel Esler (jesler) (Jan 23)
- Re: Snort running inline but not functioning as IPS Robin Kipp (Jan 24)
- Re: Snort running inline but not functioning as IPS Y M (Jan 24)
- Re: Snort running inline but not functioning as IPS Robin Kipp (Jan 24)
- Re: Snort running inline but not functioning as IPS Y M (Jan 24)
- Re: Snort running inline but not functioning as IPS Robin Kipp (Jan 26)
- Re: Snort running inline but not functioning as IPS Y M (Jan 27)
- Re: Snort running inline but not functioning as IPS Robin Kipp (Jan 27)
- Re: Snort running inline but not functioning as IPS Y M (Jan 27)
- Re: Snort running inline but not functioning as IPS Robin Kipp (Jan 27)