[Snort-users] FYI: Empty IP used either as source IP or as destination IP in a rule. IP list: [].

Matt Jonkman jonkman at ...4024...
Tue Apr 28 15:07:03 EDT 2009


Well put Jason. In a lower traffic environment snort does IP matching
well enough.

And even in a lot of medium speed installs using tools like snortsam
it's useful to match on bad IP lists. We know about tens of thousands of
bad IPs a highly secure site might want to block, but updating that into
an entire perimeter of firewalls every day isn't that feasible.

If we can just have snort match on the really bad ones and use snortsam
to add the rule live when we see a bad IP we save a lot of overhead in
firewall administration. Then we only have rules in for the ones we're
really seeing, and snortsam handles the admin overhead.

Works for me :)

Matt





Jason Brvenik wrote:
> I say use the tools you have to do the job you need when it needs to
> be done, just don't complain that the screws don't hold as well when
> you hammer them in.
> 
> On Tue, Apr 28, 2009 at 1:21 PM, Joel Esler <jesler at ...1935...> wrote:
>> Nice.  Then I'd rather see these rules used there instead of in Snort.
>>  Snort is not a firewall.
>> J
>>
>> On Tue, Apr 28, 2009 at 10:16 AM, Shirk Dog <shirkdog_list at ...125...>
>> wrote:
>>> Get with it finchy.
>>>
>>> http://www.emergingthreats.net/fwrules/
>>>
>>> Shirkdog
>>> ' or 1=1--
>>> http://www.shirkdog.us
>>>
>>>
>>>
>>> ________________________________
>>> Date: Tue, 28 Apr 2009 09:15:42 -0400
>>> From: jesler at ...1935...
>>> To: jlay at ...13475...
>>> CC: snort-users at lists.sourceforge.net
>>> Subject: Re: [Snort-users] FYI: Empty IP used either as source IP or as
>>> destination IP in a rule. IP list: [].
>>>
>>> On Tue, Apr 28, 2009 at 8:54 AM, James Lay <jlay at ...13475...>
>>> wrote:
>>>
>>> Ruleset gets updated at midnight:
>>>
>>>
>>> Apr 28 06:29:52 gateway snort[12383]: FATAL ERROR: >
>>> /chroot/snort/etc/snort/rules/emerging-drop.rules(49) => Empty IP used
>>> either as source IP or as destination IP in a rule. IP list: [].
>>>
>>> This is an emerging threats rule, so they'll see this email.  However, I'd
>>> still love to see these IP lists developed into Firewall rules for different
>>> Firewalls, or even routers.  People could then utilize the proper device to
>>> drop the traffic to and from these IPs instead of trying to use an IPS as a
>>> firewall.  This has needed to be done for a long time coming now.
>>>
>>> --
>>> joel esler | Sourcefire | gtalk: jesler at ...1935... | 302-223-5974 |
>>> http://twitter.com/joelesler
>>>
>>> ________________________________
>>> Windows Live™ SkyDrive™: Get 25 GB of free online storage. Check it out.
>>>
>>> ------------------------------------------------------------------------------
>>> Register Now & Save for Velocity, the Web Performance & Operations
>>> Conference from O'Reilly Media. Velocity features a full day of
>>> expert-led, hands-on workshops and two days of sessions from industry
>>> leaders in dedicated Performance & Operations tracks. Use code vel09scf
>>> and Save an extra 15% before 5/3. http://p.sf.net/sfu/velocityconf
>>> _______________________________________________
>>> Snort-users mailing list
>>> Snort-users at lists.sourceforge.net
>>> Go to this URL to change user options or unsubscribe:
>>> https://lists.sourceforge.net/lists/listinfo/snort-users
>>> Snort-users list archive:
>>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>
>>
>> --
>> joel esler | Sourcefire | gtalk: jesler at ...1935... | 302-223-5974 |
>> http://twitter.com/joelesler
>>
>> ------------------------------------------------------------------------------
>> Register Now & Save for Velocity, the Web Performance & Operations
>> Conference from O'Reilly Media. Velocity features a full day of
>> expert-led, hands-on workshops and two days of sessions from industry
>> leaders in dedicated Performance & Operations tracks. Use code vel09scf
>> and Save an extra 15% before 5/3. http://p.sf.net/sfu/velocityconf
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>
> 
> ------------------------------------------------------------------------------
> Register Now & Save for Velocity, the Web Performance & Operations 
> Conference from O'Reilly Media. Velocity features a full day of 
> expert-led, hands-on workshops and two days of sessions from industry 
> leaders in dedicated Performance & Operations tracks. Use code vel09scf 
> and Save an extra 15% before 5/3. http://p.sf.net/sfu/velocityconf
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

-- 
--------------------------------------------
Matthew Jonkman
Emerging Threats
Phone 765-429-0398
Fax 312-264-0205
http://www.emergingthreats.net
--------------------------------------------

PGP: http://www.jonkmans.com/mattjonkman.asc






More information about the Snort-users mailing list