Re: Snort / Rules / Pulled Pork

[Dan O'Brien via Snort-users <snort-users () lists snort org>]

Thank you very much for your response. Please allow me to clarify a couple things within your original response. 

Thanks,
Dan

"Better is a poor man who walks in his integrity than a rich man who is crooked in his ways." - Proverbs 28:6

Sent from my iPad

> On Sep 16, 2017, at 10:27 AM, Marcin Dulak <marcin.dulak () gmail com> wrote:
>
>
>
> On Sat, Sep 16, 2017 at 3:20 PM, Dan O'Brien via Snort-users <snort-users () lists snort org> wrote:
> > > Ok, slowly I am trying to figure this out. 
> > >
> > > I run Pi-hole on a Raspberry Pi on my network. I believe it is the reason why I am getting multiple "protocol dns 
> > > tmg firewall client long host entry exploit attempt-19187" alerts.
> > >
> > > The source ip for all the alerts are my internet service providers DNS servers along with to ip of my Pi-hole 
> > > Raspberry Pi. So, I need a simple filter for this rule correct?
> > >
> > > I figure I need this:
> > > suppress gen_id 3, sig_id 19187 track by_src, ip 24.25.5.60,24.25.5.61 
> readable examples are given at
> https://www.snort.org/faq/readme-filters
> https://github.com/Cisco-Talos/snort-faq/blob/master/docs/README.filters

Thank you for this, this is where I actually learned the suppress command I used but this is confusing (see below).
>  
> > > I ended up trying it in several different locations including snort.conf and local.rules without any affect.
> snort.conf contains the line
> include threshold.conf
> where you can write those suppress filters.
The link above indicates that thresholding is being deprecated.  I originally believed that in the future, 
threshold.conf would be going bye-bye so using it now would be counter productive. Before writing this response, I 
again re-read the filter readme and the second time I think I read it differently. The second time I read it, I 
understood that the standalone threshold statement would be deprecated. Is this different than using threshold.conf?

>  
> > > Last night, I put the statement at the bottom of snort.rules, which is where all the pulled pork rules are. IT 
> > > WORKED :-). 
> >
> > I woke up this am, hoping to continue eliminating some of my false positive through this method and my additions 
> > were no longer at the bottom of the pulled pork/snort.rules list.
>
> pulledpork is configurable to download and update snort.rules - maybe this is what happened?
Absolutely what happened.  My confusion is in the fact that the suppress statements in yesterday's snort.rules are 
still working today even after pulled pork downloaded and updated snort.rules.  My suppress statements are still 
working even though they are not in snort.rules due to being overwritten by the download today. They had to be written 
elsewhere?  No biggie other than should my suppress statements not be correct, I have no idea how to delete them.
> Marcin
>  
> > The false positives are still being enforced though. 
> >
> > I realize I am new and asking some really noob questions. I always try and find the answers on the internet, problem 
> > is, I end up with old information. 
> >
> > Any assistance greatly appreciated 
> >
> > Thanks,
> > Dan
> >
> > "Better is a poor man who walks in his integrity than a rich man who is crooked in his ways." - Proverbs 28:6
> >
> > Sent from my iPad
> >
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users () lists snort org
> > Go to this URL to change user options or unsubscribe:
> > https://lists.snort.org/mailman/listinfo/snort-users
> >
> > Please visit http://blog.snort.org to stay current on all the latest Snort news!
_______________________________________________
Snort-users mailing list
Snort-users () lists snort org
Go to this URL to change user options or unsubscribe:
https://lists.snort.org/mailman/listinfo/snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!