Snort mailing list archives
Re: Snort / Rules / Pulled Pork
From: Marcin Dulak via Snort-users <snort-users () lists snort org>
Date: Sat, 16 Sep 2017 23:49:00 +0200
On Sat, Sep 16, 2017 at 10:35 PM, Dan O'Brien <pdobrien3 () gmail com> wrote:
Thank you very much for your response. Please allow me to clarify a couple things within your original response. Thanks, Dan "Better is a poor man who walks in his integrity than a rich man who is crooked in his ways." - Proverbs 28:6 Sent from my iPad On Sep 16, 2017, at 10:27 AM, Marcin Dulak <marcin.dulak () gmail com> wrote: On Sat, Sep 16, 2017 at 3:20 PM, Dan O'Brien via Snort-users < snort-users () lists snort org> wrote:Ok, slowly I am trying to figure this out. I run Pi-hole on a Raspberry Pi on my network. I believe it is the reason why I am getting multiple "protocol dns tmg firewall client long host entry exploit attempt-19187" alerts. The source ip for all the alerts are my internet service providers DNS servers along with to ip of my Pi-hole Raspberry Pi. So, I need a simple filter for this rule correct? I figure I need this: suppress gen_id 3, sig_id 19187 track by_src, ip 24.25.5.60,24.25.5.61 readable examples are given athttps://www.snort.org/faq/readme-filters https://github.com/Cisco-Talos/snort-faq/blob/master/docs/README.filters Thank you for this, this is where I actually learned the suppress command I used but this is confusing (see below).I ended up trying it in several different locations including snort.conf and local.rules without any affect. snort.conf contains the lineinclude threshold.conf where you can write those suppress filters. The link above indicates that thresholding is being deprecated. I originally believed that in the future, threshold.conf would be going bye-bye so using it now would be counter productive. Before writing this response, I again re-read the filter readme and the second time I think I read it differently. The second time I read it, I understood that the standalone threshold statement would be deprecated. Is this different than using threshold.conf?
the information in https://github.com/Cisco-Talos/snort-faq/blob/master/docs/README.filters deprecates the one in https://github.com/Cisco-Talos/snort-faq/blob/master/docs/README.thresholding
Last night, I put the statement at the bottom of snort.rules, which is where all the pulled pork rules are. IT WORKED :-). I woke up this am, hoping to continue eliminating some of my false positive through this method and my additions were no longer at the bottom of the pulled pork/snort.rules list.pulledpork is configurable to download and update snort.rules - maybe this is what happened? Absolutely what happened. My confusion is in the fact that the suppress statements in yesterday's snort.rules are still working today even after pulled pork downloaded and updated snort.rules. My suppress statements are still working even though they are not in snort.rules due to being overwritten by the download today. They had to be written elsewhere? No biggie other than should my suppress statements not be correct, I have no idea how to delete them.
pulledpork downloaded and installed the new rules, but snort has not been restarted so it still uses the old suppress definitions. You can also force snort to re-read the new snort.rules without restarting with: kill -hup $(pidof snort) Marcin
MarcinThe false positives are still being enforced though. I realize I am new and asking some really noob questions. I always try and find the answers on the internet, problem is, I end up with old information. Any assistance greatly appreciated Thanks, Dan "Better is a poor man who walks in his integrity than a rich man who is crooked in his ways." - Proverbs 28:6 Sent from my iPad _______________________________________________ Snort-users mailing list Snort-users () lists snort org Go to this URL to change user options or unsubscribe: https://lists.snort.org/mailman/listinfo/snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
_______________________________________________ Snort-users mailing list Snort-users () lists snort org Go to this URL to change user options or unsubscribe: https://lists.snort.org/mailman/listinfo/snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Snort / Rules / Pulled Pork Dan O'Brien via Snort-users (Sep 16)
- Re: Snort / Rules / Pulled Pork Marcin Dulak via Snort-users (Sep 16)
- Re: Snort / Rules / Pulled Pork Dan O'Brien via Snort-users (Sep 16)
- Re: Snort / Rules / Pulled Pork Marcin Dulak via Snort-users (Sep 16)
- Re: Snort / Rules / Pulled Pork Dan O'Brien via Snort-users (Sep 16)
- Re: Snort / Rules / Pulled Pork Marcin Dulak via Snort-users (Sep 16)
- Re: Snort / Rules / Pulled Pork Dan O'Brien via Snort-users (Sep 16)
- Re: Snort / Rules / Pulled Pork Dan O'Brien via Snort-users (Sep 16)
- Re: Snort / Rules / Pulled Pork Marcin Dulak via Snort-users (Sep 16)