[Snort-users] problems with PP

Pratik Narang pratik.cse.bits at ...11827...
Fri Sep 14 09:43:51 EDT 2012


Sorry for the trouble guys, the problem is resolved- I did not run PP after
making changes to the disablesid file!!
But this throws up another problem- I run Snort on a system which receives
a netflow (or is it IPFIX?) and hence is not connected to the internet. But
whenver PP starts, it tries to connect to the internet to look for new
rules. Any suggestions for a work-around for this? It is not vey neat to
keep plugging the neighboring system's ethernet cable to connect to the
internet and run PP for every single rule I wish to add to
enablesid.conf/disablesid.conf etc. Cant I make PP just do these 'local
tasks' and not let it check for new rules? :)

On Fri, Sep 14, 2012 at 7:00 PM, Pratik Narang <pratik.cse.bits at ...11827...>wrote:

> I enabled the 'security' policy via PP and have been getting these kinds
> of alerts by the dozen :
>
> 09/14-18:55:28.774651  [**] [1:16282:3] PUA-P2P Bittorrent uTP peer
> request  [**] [Classification: Potential Corporate Privacy Violation]
> [Priority: 1] {UDP} 172.16.39.102:23943 -> 172.16.100.107:60294
> 09/14-18:55:28.774654  [**] [1:16282:3] PUA-P2P Bittorrent uTP peer
> request  [**] [Classification: Potential Corporate Privacy Violation]
> [Priority: 1] {UDP} 172.16.39.102:23-943 -> 172.16.100.107:60294
> 09/14-18:55:28.774656  [**] [1:16282:3] PUA-P2P Bittorrent uTP peer
> request  [**] [Classification: Potential Corporate Privacy Violation]
> [Priority: 1] {UDP} 172.16.39.102:23943 -> 172.16.100.107:60294
> 09/14-18:55:28.774692  [**] [1:16282:3] PUA-P2P Bittorrent uTP peer
> request  [**] [Classification: Potential Corporate Privacy Violation]
> [Priority: 1] {UDP} 172.16.39.102:23943 -> 172.16.100.107:60294
>
> I put that sig id into my disablesid.conf, but i continue to get the
> alerts. What could be wrong here? What is the correct way of putting the
> sids- 16282, 1:16282, or 1:16282:3 ?
> I also tried putting the category 'VRT-p2p' in disablesid.conf, but no
> avail :(
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20120914/def6b900/attachment.html>


More information about the Snort-users mailing list