[Snort-sigs] ftp rules

santhoj san santhojirulappan at ...2420...
Mon Oct 26 09:10:01 EDT 2015


I have included  resp in the rule. But still it is not dropping the packet.

*command used*: sudo /usr/local/bin/snort -A console -d -Q -c
/etc/snort/snort.conf -i eth0:wlan0
*Network information:*
*eth0: *192.168.101.158/23
*wlan0:* 192.168.101.159/23

ipvar HOME_NET 192.168.101.158/23

*Rules used:*
drop icmp any any -> $HOME_NET any (msg:"ICMP test"; resp: icmp_port;
sid:10000001; rev:001;)
drop tcp any any -> any any (msg:"FB drop"; appid:firefox mozilla; resp:
rst_all; sid:10000003; rev:002;)
drop tcp any any -> any any (msg:"No skype 80"; appid:skype; resp: rst_all;
sid:10000004; rev:003;)
drop tcp any any -> any any (msg:"No youtube"; appid:youtube; resp:
rst_all; sid:10000006; rev:004;)
drop tcp any any -> any any (msg:"No Google"; appid:google; resp: rst_all;
sid:10000007; rev:005;)

Can you please check whether these application packet is dropping for you?

I have configured snort in inline mode (IPS). DAQ as AFpacket mode.

Thanks & Regards
Santhoj Irulappan

On Fri, Oct 23, 2015 at 7:58 PM, Al Lewis (allewi) <allewi at ...3865...> wrote:

> Take a look at the README.active file.
>
>
>
> I think you are missing the “resp:<resp_t>;” in your rule.
>
>
>
>
>
> Albert Lewis
>
> QA Software Engineer
>
> SOURCE*fire*, Inc. now part of *Cisco*
>
> 9780 Patuxent Woods Drive
> Columbia, MD 21046
>
> Phone: (office) 443.430.7112
>
> Email: allewi at ...3865...
>
>
>
> *From:* santhoj san [mailto:santhojirulappan at ...2420...]
> *Sent:* Friday, October 23, 2015 9:32 AM
> *To:* Adonis Okpidi
>
> *Cc:* snort-sigs at lists.sourceforge.net
> *Subject:* Re: [Snort-sigs] ftp rules
>
>
>
> I am ruling snort in IPS mode only. Now changed the rule using reject
> instead of drop with different revision number for rules. l I'm getting
> Drop alert in console but not the packets are dropped. I am able to access
> the application.
>
>
>
> *Rules:*
>
> reject tcp any any -> any any (msg:"No skype 80"; appid:skype;
> sid:10000004; rev:003;)
>
> reject tcp any any -> any any (msg:"No youtube"; appid:youtube;
> sid:10000006; rev:004;)
>
> reject tcp any any -> any any (msg:"No Google"; appid:google;
> sid:10000007; rev:005;)
>
>
>
> *Changes in snort.conf*
>
> config policy_mode:inline
>
> config daq: afpacket
>
> config daq_dir: /usr/local/lib/daq
>
> config daq_mode: inline
>
> config daq_var: buffer_size_mb=512
>
>
>
> *command line:* sudo /usr/local/bin/snort -d -A console -u snort -g snort
> -c /etc/snort/snort.conf -i eth0:wlan0 -Q
>
> *Console Log:*
>
> Enabling inline operation
>
> Running in IDS mode
>
>
>
>         --== Initializing Snort ==--
>
> Initializing Output Plugins!
>
> Initializing Preprocessors!
>
> Initializing Plug-ins!
>
> Parsing Rules file "/etc/snort/snort.conf"
>
> ...
>
>
>
>
> Thanks & Regards
>
> Santhoj Irulappan
>
>
>
> On Fri, Oct 23, 2015 at 6:37 PM, Adonis Okpidi <adonisokpidi at ...2420...>
> wrote:
>
>
> http://stackoverflow.com/questions/22126452/snort-ips-rule-reject-work-but-drop-and-sdrop-dont-work
>
>
>
> Have a read through the answer as I'm sure it will help you with why it
> doesn't drop the packet because snort has to be ran in inline mode which
> make it act as an IPS. Because by default snort runs passively which makes
> it unable to drop the packets so change the settings in the snort.conf
> file. Let me know how you get on. And also you can use 'rev:1;' and 'rev:2;'
>
>
>
> http://manual.snort.org/node31.html
>
>
>
>
>
>
>
> Best Regards,
>
> Adonis Okpidi
>
>
>
>
> On 23 Oct 2015, at 05:35, santhoj san <santhojirulappan at ...2420...> wrote:
>
> Ya I tried with drop. Still it is not dropping the packets. I used the
> below rule
>
>
>
> drop tcp any any -> any any (msg:"No chrome"; appid:chrome; sid:10000004;
> rev:001;)
>
> drop tcp any any -> any any (msg:"No skype"; appid:skype; sid:10000005;
> rev:001;)
>
>
>
> Still I am able to access chrome, skype.
>
>
> Thanks & Regards
>
> Santhoj Irulappan
>
>
>
> On Fri, Oct 23, 2015 at 12:50 AM, Adonis Okpidi <adonisokpidi at ...2420...>
> wrote:
>
> You can use 'drop' instead of 'alert'
>
> Best Regards,
>
> Adonis Okpidi
>
>
>
>
> On 22 Oct 2015, at 18:28, santhoj san <santhojirulappan at ...2420...> wrote:
>
> Hi, Can anyone help me in how to make a rule to drop the packets.
>
>
> Thanks & Regards
>
> Santhoj Irulappan
>
>
>
> On Thu, Oct 22, 2015 at 9:12 PM, Adam Ring <adam.ring at ...4072...>
> wrote:
>
> Yea I just found out about the protocol-ftp rules.  Thanks.
>
>
>
> *From:* Joel Esler (jesler) [mailto:jesler at ...3865...]
> *Sent:* Thursday, October 22, 2015 11:42 AM
> *To:* Adam Ring
> *Cc:* snort-sigs at lists.sourceforge.net
> *Subject:* Re: [Snort-sigs] ftp rules
>
>
>
> Take a look at protocol-ftp.rules
>
>
>
>
>
> --
>
> *Joel Esler*
>
> Manager, Talos Group
>
>
>
>
>
>
>
> On Oct 22, 2015, at 8:55 AM, Adam Ring <adam.ring at ...4074...
> <adam.ring at ...4072...>> wrote:
>
>
>
> Hi I am new to snort and was trying to create an ftp rule.  I have
> downloaded the rules from the website, but in the ftp file there aren’t any
> rules in there.  I was wondering if that was supposed to be empty and if it
> is, is there a place where I can go to find some examples of ftp rules?
>
>
>
> *Adam Ring*
>
> IT Help Desk Techniction
>
> Office 703.677.9540
>
>
>
> AOC Solutions <http://www.aocsolutions.com/> | Solutions That Pay®
>
>
>
> Blog <http://www.aocsolutions.com/blog> | Video
> <http://www.aocsolutions.com/ap-payment-automation-video> | LinkedIn
> <https://www.linkedin.com/company/139025?trk=tyah&trkInfo=clickedVertical%3Acompany%2Cidx%3A1-1-1%2CtarId%3A1436380782168%2Ctas%3Aaoc%20solutions>
>
>
>
> *<image001.png>*
> <http://www.aocsolutions.com/about-aoc/aoc-in-the-news/aoc-named-top-workplace-by-washington-post>
>
>
>
>
>
> This e-mail and any attachments may contain confidential and privileged
>
> information. If you are not the intended recipient, please notify the sender
>
> immediately by return e-mail, delete this e-mail and attachments (if applicable)
>
> and destroy any copies. Any dissemination or use of this information by a person
>
> other than the intended recipient is unauthorized and strictly prohibited. You
>
> may be subject to confidentiality restrictions in an existing contract with AOC
>
> Solutions, Inc. As a result, you must protect the contents of this communication
>
> according to such terms and conditions.
>
>
> ------------------------------------------------------------------------------
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> http://www.snort.org
>
>
> Please visit http://blog.snort.org for the latest news about Snort!
>
>
>
> This e-mail and any attachments may contain confidential and privileged
>
> information. If you are not the intended recipient, please notify the sender
>
> immediately by return e-mail, delete this e-mail and attachments (if applicable)
>
> and destroy any copies. Any dissemination or use of this information by a person
>
> other than the intended recipient is unauthorized and strictly prohibited. You
>
> may be subject to confidentiality restrictions in an existing contract with AOC
>
> Solutions, Inc. As a result, you must protect the contents of this communication
>
> according to such terms and conditions.
>
>
>
> ------------------------------------------------------------------------------
>
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> http://www.snort.org
>
>
> Please visit http://blog.snort.org for the latest news about Snort!
>
>
>
>
> ------------------------------------------------------------------------------
>
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> http://www.snort.org
>
>
> Please visit http://blog.snort.org for the latest news about Snort!
>
>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20151026/21d1b7b4/attachment.html>


More information about the Snort-sigs mailing list