Snort / Rules / Pulled Pork

[Dan O'Brien via Snort-users <snort-users () lists snort org>]

> Ok, slowly I am trying to figure this out. 
>
> I run Pi-hole on a Raspberry Pi on my network. I believe it is the reason why I am getting multiple "protocol dns tmg 
> firewall client long host entry exploit attempt-19187" alerts.
>
> The source ip for all the alerts are my internet service providers DNS servers along with to ip of my Pi-hole 
> Raspberry Pi. So, I need a simple filter for this rule correct?
>
> I figure I need this:
> suppress gen_id 3, sig_id 19187 track by_src, ip 24.25.5.60,24.25.5.61 
>
> I ended up trying it in several different locations including snort.conf and local.rules without any affect. Last 
> night, I put the statement at the bottom of snort.rules, which is where all the pulled pork rules are. IT WORKED :-). 

I woke up this am, hoping to continue eliminating some of my false positive through this method and my additions were 
no longer at the bottom of the pulled pork/snort.rules list. The false positives are still being enforced though. 

I realize I am new and asking some really noob questions. I always try and find the answers on the internet, problem 
is, I end up with old information. 

Any assistance greatly appreciated 

Thanks,
Dan

"Better is a poor man who walks in his integrity than a rich man who is crooked in his ways." - Proverbs 28:6

Sent from my iPad

_______________________________________________
Snort-users mailing list
Snort-users () lists snort org
Go to this URL to change user options or unsubscribe:
https://lists.snort.org/mailman/listinfo/snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!