[Snort-sigs] proper metadata use?

Will Metcalf william.metcalf at ...2420...
Thu Apr 29 00:36:14 EDT 2010


sure, I just thought maybe this wasn't the proper metadata tag for
these rules, if people started to leverage this to build drop
rule-sets using pulled-pork, oinkmaster or whatever.

Regards,

Will

On Tue, Apr 27, 2010 at 7:04 PM, JJ Cummings <cummingsj at ...2420...> wrote:
> Will, certainly a valid concern....
>
> Currently pulledpork does not set rules automatically to a "drop" state...
> But rather alert only... The user must specify to pulledpork what rules that
> they want to set as drop, using the dropsid configuration option...
>
> HTH
> JJC
>
> Sent from the iRoad
>
> On Apr 27, 2010, at 17:37, Will Metcalf <william.metcalf at ...2420...> wrote:
>
>> Is the metadata policy for all of these rules correct?  If people
>> start using pulled-pork for policy drop stuff... or maybe I'm
>> mis-understanding the meaning of this metadata tag.
>>
>> grep "security-ips drop" *.rules | grep "flowbits\:\s*noalert"
>>
>> Looks like it would end up in a lot of traffic that is being used for
>> protocol decode.  It is generally a bad idea to mix drop and
>> flowbits:noalert as valid traffic ends up getting dropped and the
>> users have no idea why.  Just my 2 cents....
>>
>> Regards,
>>
>> Will
>>
>>
>> ------------------------------------------------------------------------------
>> _______________________________________________
>> Snort-sigs mailing list
>> Snort-sigs at lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/snort-sigs
>




More information about the Snort-sigs mailing list