Re: Snort / Rules / Pulled Pork

[Marcin Dulak via Snort-users <snort-users () lists snort org>]

On Sat, Sep 16, 2017 at 10:35 PM, Dan O'Brien <pdobrien3 () gmail com> wrote:

> Thank you very much for your response. Please allow me to clarify a couple
> things within your original response.
>
> Thanks,
>
> Dan
>
>
> "Better is a poor man who walks in his integrity than a rich man who is
> crooked in his ways." - Proverbs 28:6
>
>
> Sent from my iPad
>
> On Sep 16, 2017, at 10:27 AM, Marcin Dulak <marcin.dulak () gmail com> wrote:
>
>
>
> On Sat, Sep 16, 2017 at 3:20 PM, Dan O'Brien via Snort-users <
> snort-users () lists snort org> wrote:
>
> > Ok, slowly I am trying to figure this out.
> >
> >
> > I run Pi-hole on a Raspberry Pi on my network. I believe it is the reason
> > why I am getting multiple "protocol dns tmg firewall client long host entry
> > exploit attempt-19187" alerts.
> >
> >
> > The source ip for all the alerts are my internet service providers DNS
> > servers along with to ip of my Pi-hole Raspberry Pi. So, I need a simple
> > filter for this rule correct?
> >
> >
> > I figure I need this:
> >
> > suppress gen_id 3, sig_id 19187 track by_src, ip 24.25.5.60,24.25.5.61
> >
> > readable examples are given at
> https://www.snort.org/faq/readme-filters
> https://github.com/Cisco-Talos/snort-faq/blob/master/docs/README.filters
>
>
> Thank you for this, this is where I actually learned the suppress command
> I used but this is confusing (see below).
>
>
>
> > I ended up trying it in several different locations including snort.conf
> > and local.rules without any affect.
> >
> > snort.conf contains the line
> include threshold.conf
> where you can write those suppress filters.
>
> The link above indicates that thresholding is being deprecated.  I
> originally believed that in the future, threshold.conf would be going
> bye-bye so using it now would be counter productive. Before writing this
> response, I again re-read the filter readme and the second time I think I
> read it differently. The second time I read it, I understood that the
> standalone threshold statement would be deprecated. Is this different than
> using threshold.conf?

the information in
https://github.com/Cisco-Talos/snort-faq/blob/master/docs/README.filters
deprecates the one in
https://github.com/Cisco-Talos/snort-faq/blob/master/docs/README.thresholding


> > Last night, I put the statement at the bottom of snort.rules, which is
> > where all the pulled pork rules are. IT WORKED :-).
> >
> >
> > I woke up this am, hoping to continue eliminating some of my false
> > positive through this method and my additions were no longer at the bottom
> > of the pulled pork/snort.rules list.
>
> pulledpork is configurable to download and update snort.rules - maybe this
> is what happened?
>
> Absolutely what happened.  My confusion is in the fact that the suppress
> statements in yesterday's snort.rules are still working today even after
> pulled pork downloaded and updated snort.rules.  My suppress statements are
> still working even though they are not in snort.rules due to being
> overwritten by the download today. They had to be written elsewhere?  No
> biggie other than should my suppress statements not be correct, I have no
> idea how to delete them.

pulledpork downloaded and installed the new rules, but snort has not been
restarted so it still uses the old suppress definitions.
You can also force snort to re-read the new snort.rules without restarting
with:

kill -hup $(pidof snort)


Marcin

> Marcin
>
>
> > The false positives are still being enforced though.
> >
> > I realize I am new and asking some really noob questions. I always try
> > and find the answers on the internet, problem is, I end up with old
> > information.
> >
> > Any assistance greatly appreciated
> >
> > Thanks,
> >
> > Dan
> >
> >
> > "Better is a poor man who walks in his integrity than a rich man who is
> > crooked in his ways." - Proverbs 28:6
> >
> >
> > Sent from my iPad
> >
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users () lists snort org
> > Go to this URL to change user options or unsubscribe:
> > https://lists.snort.org/mailman/listinfo/snort-users
> >
> > Please visit http://blog.snort.org to stay current on all the latest
> > Snort news!
_______________________________________________
Snort-users mailing list
Snort-users () lists snort org
Go to this URL to change user options or unsubscribe:
https://lists.snort.org/mailman/listinfo/snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!