Snort mailing list archives
Re: Snort-users Digest, Vol 122, Issue 42
From: fatema bannatwala <fatema.bannatwala () gmail com>
Date: Fri, 29 Jul 2016 15:55:43 -0400
Hi LP, You could use snort.conf file and disable the rules you do not want snort to load while it starts. We also had to disable some pre-proc rules and using the snort.conf file to disable them: For Ex, in snort.conf comment out the rule set you don't want: $ less snort.conf ........... #include $RULE_PATH/VRT-preprocessor.rules # decoder and preprocessor event rules # include $PREPROC_RULE_PATH/preprocessor.rules # include $PREPROC_RULE_PATH/decoder.rules # include $PREPROC_RULE_PATH/sensitive-data.rules ............. Hope this helps. Thanks, Fatema. On Fri, Jul 29, 2016 at 3:37 PM, <snort-users-request () lists sourceforge net> wrote:
Send Snort-users mailing list submissions to snort-users () lists sourceforge net To subscribe or unsubscribe via the World Wide Web, visit https://lists.sourceforge.net/lists/listinfo/snort-users or, via email, send a message with subject or body 'help' to snort-users-request () lists sourceforge net You can reach the person managing the list at snort-users-owner () lists sourceforge net When replying, please edit your Subject line so it is more specific than "Re: Contents of Snort-users digest..." When responding, please don't respond with the entire Digest. Please trim your response. Today's Topics: 1. Disabling Preprocessor/Decoder rules (Lauren Proehl) 2. R: Catch rate testing with VRT free ruleset (Romagnoli Andrea) 3. Determining remote proxy servers using snort. (fatema bannatwala) 4. Re: Pulledpork does not apply policies to Snort registered rules (Michael Steele) ---------------------------------------------------------------------- Message: 1 Date: Fri, 29 Jul 2016 14:35:08 +0000 From: Lauren Proehl <lauren.proehl () unitedlex com> Subject: [Snort-users] Disabling Preprocessor/Decoder rules To: snort-users mailinglist <snort-users () lists sourceforge net> Message-ID: <D3C0D3CB.9259%lauren.proehl () unitedlex com> Content-Type: text/plain; charset="windows-1252" Snort Users, Wondering if you all can help me. A new analyst accidentally enabled preproc rules last night and couldn?t figure out how to turn them off. I managed to edit the pulledpork conf and stop them from downloading, but wondering if there is a way to fine tune these rules better, i.e. Disablesid.conf snort.conf or threshold.conf. (Rule Ex: stream5: TCP Timestamp is missing) Regards, LP -------------- next part -------------- An HTML attachment was scrubbed... ------------------------------ Message: 2 Date: Fri, 29 Jul 2016 15:56:57 +0000 From: Romagnoli Andrea <andrea.romagnoli () it telecomitalia it> Subject: [Snort-users] R: Catch rate testing with VRT free ruleset To: "Joel Esler (jesler)" <jesler () cisco com> Cc: "snort-users () lists sourceforge net" <snort-users () lists sourceforge net> Message-ID: <ca58c8fd9d2b4f0281770da95cc41ecb@TELMBXD07BA020.telecomitalia.local> Content-Type: text/plain; charset="iso-8859-1" Hi Joel, Thank you for your feedback! At the moment we are running all VRT free rules and we are not dropping any packets due to high traffic rate (or other reasons). Which preprocessor configuration could cause this effect? We are using default conf file, except for stream5_global variable (we added memcap and increased TCP/UDP max connections), setting HOME_NET, daq PF_RING variables and some secondary parameters like rules directory location, ip reputation lists location, so on and so forth. I can share the conf if could be helpful. Thank you Best regards, Andrea -----Messaggio originale----- Da: Joel Esler (jesler) [mailto:jesler () cisco com] Inviato: venerd? 29 luglio 2016 00:39 A: Romagnoli Andrea Cc: snort-users () lists sourceforge net Oggetto: Re: [Snort-users] Catch rate testing with VRT free ruleset This could depend on configuration of your preprocessors, and what rules you are running, as well as how many packets you are dropping. Our catch rate for Breaking Point is much much higher.On Jul 28, 2016, at 11:56 AM, Andrea Romagnoli <andrea.romagnoli () it telecomitalia it> wrote:Hello everyone. We installed Snort 2.9.8.3 (Build 383) with PF_RING on a server with 2 Xeon CPU, 256GB RAM and Ubuntu 14.04.1: our aim is to test Snort in IPS inline mode using IXIA's Breaking Point (traffic generator) We are doing a catch rate testing using updated VRT Free ruleset. Trying hundreds attacks ordered by year (from 2008 to 2015) we reached a catch rate of approximately ~45% (lower: 34.83% with 2008attacks, higher:47.08% with 2015 attacks). In our testbed we enabled all rulesets and we put them in "reject" mode. Do you think that those results are reasonable for a free ruleset such as VRT Free, or we could do a bit more? What results we could expect with VRT Pro? Best regards, Andrea ---------------------------------------------------------------------- -------- _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latestSnort news! ------------------------------ Message: 3 Date: Fri, 29 Jul 2016 14:18:44 -0400 From: fatema bannatwala <fatema.bannatwala () gmail com> Subject: [Snort-users] Determining remote proxy servers using snort. To: snort-users () lists sourceforge net Message-ID: < CACX0rUTeLvmdfwfjPrxihiHdZoS2CXRw93Du9AC8Xwsaxo-QDw () mail gmail com> Content-Type: text/plain; charset="utf-8" Hi, Recently we have seen an uptick in use of proxy servers to login to the accounts from people living in China. And since the connection appears to come from US based IP address (probably a proxy) they go un-flagged by the IDS/IPS devices, as they see normal logins from United States IP addresses. So my question is, is there a way to determine that the incoming connection from an IP is actually a proxy server's IP, by looking at some unique patterns in data collected by IDS/IPS devices? and if so can we do it using snort? Thanks, Fatema. -------------- next part -------------- An HTML attachment was scrubbed... ------------------------------ Message: 4 Date: Fri, 29 Jul 2016 15:24:23 -0400 From: "Michael Steele" <michaels () winsnort com> Subject: Re: [Snort-users] Pulledpork does not apply policies to Snort registered rules To: "'Shirkdog'" <shirkdog () gmail com>, "'Joel Esler \(jesler\)'" <jesler () cisco com> Cc: 'snort-users mailinglist' <snort-users () lists sourceforge net>, "'Asad, Hafiz ul'" <Hafiz-ul.Asad () city ac uk> Message-ID: <001801d1e9ce$d11cb7b0$73562710$@winsnort.com> Content-Type: text/plain; charset="utf-8" Snort will display the number of enabled rules. If the priority is changed in PulledPork the number of active rules will change. Kindest regards, Michael... WINSNORT.com Management Team Member -- ****************** Established ~ 2001 ******************* * Visit Us @ <http://www.winsnort.com> http://www.winsnort.com * * ~~ FREE WinIDS Snort installation guides ~~ * * ~~ FREE support forums ~~ * * Snort: Open Source Network IDS - <http://www.snort.org> http://www.snort.org * ********************************************************* From: Shirkdog [mailto:shirkdog () gmail com] Sent: Friday, July 29, 2016 10:13 AM To: Joel Esler (jesler) <jesler () cisco com> Cc: Asad, Hafiz ul <Hafiz-ul.Asad () city ac uk>; snort-users mailinglist < snort-users () lists sourceforge net> Subject: Re: [Snort-users] Pulledpork does not apply policies to Snort registered rules I was about to reply to this, as I thought Joel had brought this up as a feature before. If it does not exist as an issue, please add it as a feature request. On Jul 29, 2016 10:11 AM, "Joel Esler (jesler)" <jesler () cisco com <mailto: jesler () cisco com> > wrote: Interesting. Have you filled an issue with pulledpork on the github for the project? Shirkdog may not be monitoring this list all the time. On Jul 29, 2016, at 8:06 AM, Asad, Hafiz ul <Hafiz-ul.Asad () city ac uk <mailto:Hafiz-ul.Asad () city ac uk> > wrote: Snort Users, I have been trying to compare results of different snort rules with different policies; Connectivity;Security;Balanced;No-policy. While setting these for downloading different community rules using Pulledpork, I was able to download different sets of rules for each policy.However, I have noticed, that setting up different policies in the "pulledpork.conf" file does not have any effect on the downloaded rules for "Snort Registered" Rule set (Every time the downloaded rules remain the same no matter what policy is set in the file). Is there any explanation for this from the Pulledpork point of view? Cheers, Asad Hafiz ul Asad Research Assistant Center for Software Reliability School of Mathematics, Computer Science & Engineering City University London, EC1V 0HB London Tel : +44 (0) 20 7040 8422 <tel:%2B44%20%280%29%2020%207040%208422> ------------------------------------------------------------------------------ _______________________________________________ Snort-users mailing list <mailto:Snort-users () lists sourceforge net> Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: <https://lists.sourceforge.net/lists/listinfo/snort-users> https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: <http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit <http://blog.snort.org/> http://blog.snort.org to stay current on all the latest Snort news! ------------------------------------------------------------------------------ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net <mailto: Snort-users () lists sourceforge net> Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news! -------------- next part -------------- An HTML attachment was scrubbed... ------------------------------ ------------------------------------------------------------------------------ ------------------------------ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-users End of Snort-users Digest, Vol 122, Issue 42 ********************************************
------------------------------------------------------------------------------
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Re: Snort-users Digest, Vol 122, Issue 42 fatema bannatwala (Jul 29)