[Snort-sigs] ftp rules

Adonis Okpidi adonisokpidi at ...2420...
Fri Oct 23 09:07:38 EDT 2015


http://stackoverflow.com/questions/22126452/snort-ips-rule-reject-work-but-drop-and-sdrop-dont-work

Have a read through the answer as I'm sure it will help you with why it doesn't drop the packet because snort has to be ran in inline mode which make it act as an IPS. Because by default snort runs passively which makes it unable to drop the packets so change the settings in the snort.conf file. Let me know how you get on. And also you can use 'rev:1;' and 'rev:2;'

http://manual.snort.org/node31.html



Best Regards,
Adonis Okpidi


> On 23 Oct 2015, at 05:35, santhoj san <santhojirulappan at ...2420...> wrote:
> 
> Ya I tried with drop. Still it is not dropping the packets. I used the below rule
> 
> drop tcp any any -> any any (msg:"No chrome"; appid:chrome; sid:10000004; rev:001;)
> drop tcp any any -> any any (msg:"No skype"; appid:skype; sid:10000005; rev:001;)
> 
> Still I am able to access chrome, skype.
> 
> Thanks & Regards
> Santhoj Irulappan
> 
>> On Fri, Oct 23, 2015 at 12:50 AM, Adonis Okpidi <adonisokpidi at ...2420...> wrote:
>> You can use 'drop' instead of 'alert'
>> 
>> Best Regards,
>> Adonis Okpidi
>> 
>> 
>>> On 22 Oct 2015, at 18:28, santhoj san <santhojirulappan at ...2420...> wrote:
>>> 
>>> Hi, Can anyone help me in how to make a rule to drop the packets.
>>> 
>>> Thanks & Regards
>>> Santhoj Irulappan
>>> 
>>>> On Thu, Oct 22, 2015 at 9:12 PM, Adam Ring <adam.ring at ...4072...> wrote:
>>>> Yea I just found out about the protocol-ftp rules.  Thanks.
>>>> 
>>>>  
>>>> 
>>>> From: Joel Esler (jesler) [mailto:jesler at ...3865...] 
>>>> Sent: Thursday, October 22, 2015 11:42 AM
>>>> To: Adam Ring
>>>> Cc: snort-sigs at lists.sourceforge.net
>>>> Subject: Re: [Snort-sigs] ftp rules
>>>> 
>>>>  
>>>> 
>>>> Take a look at protocol-ftp.rules
>>>> 
>>>>  
>>>> 
>>>>  
>>>> 
>>>> --
>>>> 
>>>> Joel Esler
>>>> 
>>>> Manager, Talos Group
>>>> 
>>>>  
>>>> 
>>>>  
>>>> 
>>>>  
>>>> 
>>>> On Oct 22, 2015, at 8:55 AM, Adam Ring <adam.ring at ...4074...> wrote:
>>>> 
>>>>  
>>>> 
>>>> Hi I am new to snort and was trying to create an ftp rule.  I have downloaded the rules from the website, but in the ftp file there aren’t any rules in there.  I was wondering if that was supposed to be empty and if it is, is there a place where I can go to find some examples of ftp rules?
>>>> 
>>>>  
>>>> 
>>>> Adam Ring
>>>> 
>>>> IT Help Desk Techniction
>>>> 
>>>> Office 703.677.9540 
>>>> 
>>>>  
>>>> 
>>>> AOC Solutions | Solutions That Pay®
>>>> 
>>>>  
>>>> 
>>>> Blog | Video | LinkedIn
>>>> 
>>>>  
>>>> 
>>>> <image001.png>
>>>> 
>>>>  
>>>> 
>>>>  
>>>> 
>>>> This e-mail and any attachments may contain confidential and privileged
>>>> information. If you are not the intended recipient, please notify the sender
>>>> immediately by return e-mail, delete this e-mail and attachments (if applicable)
>>>> and destroy any copies. Any dissemination or use of this information by a person
>>>> other than the intended recipient is unauthorized and strictly prohibited. You
>>>> may be subject to confidentiality restrictions in an existing contract with AOC
>>>> Solutions, Inc. As a result, you must protect the contents of this communication
>>>> according to such terms and conditions.
>>>> ------------------------------------------------------------------------------
>>>> _______________________________________________
>>>> Snort-sigs mailing list
>>>> Snort-sigs at lists.sourceforge.net
>>>> https://lists.sourceforge.net/lists/listinfo/snort-sigs
>>>> http://www.snort.org
>>>> 
>>>> 
>>>> Please visit http://blog.snort.org for the latest news about Snort!
>>>> 
>>>>  
>>>> 
>>>> This e-mail and any attachments may contain confidential and privileged
>>>> information. If you are not the intended recipient, please notify the sender
>>>> immediately by return e-mail, delete this e-mail and attachments (if applicable)
>>>> and destroy any copies. Any dissemination or use of this information by a person
>>>> other than the intended recipient is unauthorized and strictly prohibited. You
>>>> may be subject to confidentiality restrictions in an existing contract with AOC
>>>> Solutions, Inc. As a result, you must protect the contents of this communication
>>>> according to such terms and conditions.
>>>> 
>>>> ------------------------------------------------------------------------------
>>>> 
>>>> _______________________________________________
>>>> Snort-sigs mailing list
>>>> Snort-sigs at lists.sourceforge.net
>>>> https://lists.sourceforge.net/lists/listinfo/snort-sigs
>>>> http://www.snort.org
>>>> 
>>>> 
>>>> Please visit http://blog.snort.org for the latest news about Snort!
>>> 
>>> ------------------------------------------------------------------------------
>>> _______________________________________________
>>> Snort-sigs mailing list
>>> Snort-sigs at lists.sourceforge.net
>>> https://lists.sourceforge.net/lists/listinfo/snort-sigs
>>> http://www.snort.org
>>> 
>>> 
>>> Please visit http://blog.snort.org for the latest news about Snort!
> 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20151023/7f6e9348/attachment.html>


More information about the Snort-sigs mailing list