[Snort-sigs] ftp rules

santhoj san santhojirulappan at ...2420...
Fri Oct 23 09:31:31 EDT 2015


I am ruling snort in IPS mode only. Now changed the rule using reject
instead of drop with different revision number for rules. l I'm getting
Drop alert in console but not the packets are dropped. I am able to access
the application.

*Rules:*
reject tcp any any -> any any (msg:"No skype 80"; appid:skype;
sid:10000004; rev:003;)
reject tcp any any -> any any (msg:"No youtube"; appid:youtube;
sid:10000006; rev:004;)
reject tcp any any -> any any (msg:"No Google"; appid:google; sid:10000007;
rev:005;)

*Changes in snort.conf*
config policy_mode:inline
config daq: afpacket
config daq_dir: /usr/local/lib/daq
config daq_mode: inline
config daq_var: buffer_size_mb=512

*command line:* sudo /usr/local/bin/snort -d -A console -u snort -g snort
-c /etc/snort/snort.conf -i eth0:wlan0 -Q
*Console Log:*
Enabling inline operation
Running in IDS mode

        --== Initializing Snort ==--
Initializing Output Plugins!
Initializing Preprocessors!
Initializing Plug-ins!
Parsing Rules file "/etc/snort/snort.conf"
...


Thanks & Regards
Santhoj Irulappan

On Fri, Oct 23, 2015 at 6:37 PM, Adonis Okpidi <adonisokpidi at ...2420...>
wrote:

>
> http://stackoverflow.com/questions/22126452/snort-ips-rule-reject-work-but-drop-and-sdrop-dont-work
>
> Have a read through the answer as I'm sure it will help you with why it
> doesn't drop the packet because snort has to be ran in inline mode which
> make it act as an IPS. Because by default snort runs passively which makes
> it unable to drop the packets so change the settings in the snort.conf
> file. Let me know how you get on. And also you can use 'rev:1;' and 'rev:2;'
>
> http://manual.snort.org/node31.html
>
>
>
> Best Regards,
> Adonis Okpidi
>
>
> On 23 Oct 2015, at 05:35, santhoj san <santhojirulappan at ...2420...> wrote:
>
> Ya I tried with drop. Still it is not dropping the packets. I used the
> below rule
>
> drop tcp any any -> any any (msg:"No chrome"; appid:chrome; sid:10000004;
> rev:001;)
> drop tcp any any -> any any (msg:"No skype"; appid:skype; sid:10000005;
> rev:001;)
>
> Still I am able to access chrome, skype.
>
> Thanks & Regards
> Santhoj Irulappan
>
> On Fri, Oct 23, 2015 at 12:50 AM, Adonis Okpidi <adonisokpidi at ...2420...>
> wrote:
>
>> You can use 'drop' instead of 'alert'
>>
>> Best Regards,
>> Adonis Okpidi
>>
>>
>> On 22 Oct 2015, at 18:28, santhoj san <santhojirulappan at ...2420...> wrote:
>>
>> Hi, Can anyone help me in how to make a rule to drop the packets.
>>
>> Thanks & Regards
>> Santhoj Irulappan
>>
>> On Thu, Oct 22, 2015 at 9:12 PM, Adam Ring <adam.ring at ...4072...>
>> wrote:
>>
>>> Yea I just found out about the protocol-ftp rules.  Thanks.
>>>
>>>
>>>
>>> *From:* Joel Esler (jesler) [mailto:jesler at ...3865...]
>>> *Sent:* Thursday, October 22, 2015 11:42 AM
>>> *To:* Adam Ring
>>> *Cc:* snort-sigs at lists.sourceforge.net
>>> *Subject:* Re: [Snort-sigs] ftp rules
>>>
>>>
>>>
>>> Take a look at protocol-ftp.rules
>>>
>>>
>>>
>>>
>>>
>>> --
>>>
>>> *Joel Esler*
>>>
>>> Manager, Talos Group
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>> On Oct 22, 2015, at 8:55 AM, Adam Ring <adam.ring at ...4074...
>>> <adam.ring at ...4072...>> wrote:
>>>
>>>
>>>
>>> Hi I am new to snort and was trying to create an ftp rule.  I have
>>> downloaded the rules from the website, but in the ftp file there aren’t any
>>> rules in there.  I was wondering if that was supposed to be empty and if it
>>> is, is there a place where I can go to find some examples of ftp rules?
>>>
>>>
>>>
>>> *Adam Ring*
>>>
>>> IT Help Desk Techniction
>>>
>>> Office 703.677.9540
>>>
>>>
>>>
>>> AOC Solutions <http://www.aocsolutions.com/> | Solutions That Pay®
>>>
>>>
>>>
>>> Blog <http://www.aocsolutions.com/blog> | Video
>>> <http://www.aocsolutions.com/ap-payment-automation-video> | LinkedIn
>>> <https://www.linkedin.com/company/139025?trk=tyah&trkInfo=clickedVertical%3Acompany%2Cidx%3A1-1-1%2CtarId%3A1436380782168%2Ctas%3Aaoc%20solutions>
>>>
>>>
>>>
>>> *<image001.png>*
>>> <http://www.aocsolutions.com/about-aoc/aoc-in-the-news/aoc-named-top-workplace-by-washington-post>
>>>
>>>
>>>
>>>
>>>
>>> This e-mail and any attachments may contain confidential and privileged
>>>
>>> information. If you are not the intended recipient, please notify the sender
>>>
>>> immediately by return e-mail, delete this e-mail and attachments (if applicable)
>>>
>>> and destroy any copies. Any dissemination or use of this information by a person
>>>
>>> other than the intended recipient is unauthorized and strictly prohibited. You
>>>
>>> may be subject to confidentiality restrictions in an existing contract with AOC
>>>
>>> Solutions, Inc. As a result, you must protect the contents of this communication
>>>
>>> according to such terms and conditions.
>>>
>>>
>>> ------------------------------------------------------------------------------
>>> _______________________________________________
>>> Snort-sigs mailing list
>>> Snort-sigs at lists.sourceforge.net
>>> https://lists.sourceforge.net/lists/listinfo/snort-sigs
>>> http://www.snort.org
>>>
>>>
>>> Please visit http://blog.snort.org for the latest news about Snort!
>>>
>>>
>>>
>>> This e-mail and any attachments may contain confidential and privileged
>>> information. If you are not the intended recipient, please notify the sender
>>> immediately by return e-mail, delete this e-mail and attachments (if applicable)
>>> and destroy any copies. Any dissemination or use of this information by a person
>>> other than the intended recipient is unauthorized and strictly prohibited. You
>>> may be subject to confidentiality restrictions in an existing contract with AOC
>>> Solutions, Inc. As a result, you must protect the contents of this communication
>>> according to such terms and conditions.
>>>
>>>
>>>
>>> ------------------------------------------------------------------------------
>>>
>>> _______________________________________________
>>> Snort-sigs mailing list
>>> Snort-sigs at lists.sourceforge.net
>>> https://lists.sourceforge.net/lists/listinfo/snort-sigs
>>> http://www.snort.org
>>>
>>>
>>> Please visit http://blog.snort.org for the latest news about Snort!
>>>
>>
>>
>> ------------------------------------------------------------------------------
>>
>> _______________________________________________
>> Snort-sigs mailing list
>> Snort-sigs at lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/snort-sigs
>> http://www.snort.org
>>
>>
>> Please visit http://blog.snort.org for the latest news about Snort!
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20151023/eeb7c483/attachment.html>


More information about the Snort-sigs mailing list