[Snort-users] Alert question???

Hicks, John JHicks at ...5857...
Tue Aug 13 10:40:05 EDT 2002


Another way to limit flooding with this rule is to specify:
alert tcp $Home_Net any -> $External_Net any (msg:)

doing so will track word usage coming out of the LAN only which is much
better for it's usage as a 'policy' rule.

cheers,

John

-----Original Message-----
From: Ian Macdonald [mailto:secsnort at ...5528...]
Sent: Tuesday, August 13, 2002 1:19 PM
To: quentyn at ...3871...; Joe Giles
Cc: Know How; snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] Alert question???


Yeah they were a joke, but they sometimes come in useful, I have disabled
any rule that has a single word in it, and any common phrases. I also
created a variable that contains ip addresses I exclude. You might want to
exclude things like hotmail and yahoo mail because of people deleting junk
mail. You just need to spend a little time working out which sites are
triggering exclude them if they are something like CNN. A request to remove
some porn rules is in the queue.

If you look at the PORN Virgin rule you will see it is matching on the
content "virgin" so it is not a bug just a poor rule. If you really wanted
to match on virgin you would do " virgin " and even then you are going to
get triggers on web pages that a have say "The virgin Marry"

Have a look at the rules you have enabled and work out if it fits your
environment. If not disable it. A good tool for doing rule management is
Oinkmaster. You can set the SID of the rules you want disabled then update
your rule set from the latest version on snort.org

Ian
----- Original Message -----
From: <quentyn at ...3871...>
To: "Joe Giles" <jgiles at ...6534...>
Cc: "Know How" <beteachable at ...125...>;
<snort-users at lists.sourceforge.net>
Sent: Tuesday, August 13, 2002 12:51 PM
Subject: Re: [Snort-users] Alert question???


> Joe Giles wrote:
> >
> > Actually, I have been getting this too. I think its a bug. If you look
at the packet data, there is probobly a work in there that starts or ends
with VIRGIN. Like, for exampe VIRGINIA. LOL... I just dissabled the PORN
section and use another app for that :)...
> >
> > Hope this helps..
> >
> >
>
> I thought that the porn rules were a piss take anyway ? I thought that
> their prescence was due to the other IDS vendor's saying that they had
> them as a selling point ?
>
> Q
>
>
>
> --
> #####################
> Quentyn Taylor
> Sysadmin - Fotango
> #####################
> `Naturally, a sysadmin's entire person is holy. We have the power to
> kill daemons.'
>    Mike Sphar
>
>
> -------------------------------------------------------
> This sf.net email is sponsored by: Dice - The leading online job board
> for high-tech professionals. Search and apply for tech jobs today!
> http://seeker.dice.com/seeker.epl?rel_code=31
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>



-------------------------------------------------------
This sf.net email is sponsored by: Dice - The leading online job board
for high-tech professionals. Search and apply for tech jobs today!
http://seeker.dice.com/seeker.epl?rel_code=31
_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users




More information about the Snort-users mailing list