[Snort-users] problems with PP

Michael Steele michaels at ...9077...
Fri Sep 14 09:47:35 EDT 2012


Anything rule affiliated that is changed, PP has to be re-ran in order to
update.

 

The  process: Stop Snort, Run PP, Start Snort

 

Michael...

 

From: Pratik Narang [mailto:pratik.cse.bits at ...11827...] 
Sent: Friday, September 14, 2012 9:30 AM
To: snort-users at lists.sourceforge.net
Subject: [Snort-users] problems with PP

 

I enabled the 'security' policy via PP and have been getting these kinds of
alerts by the dozen :

 

09/14-18:55:28.774651  [**] [1:16282:3] PUA-P2P Bittorrent uTP peer request
[**] [Classification: Potential Corporate Privacy Violation] [Priority: 1]
{UDP} 172.16.39.102:23943 -> 172.16.100.107:60294

09/14-18:55:28.774654  [**] [1:16282:3] PUA-P2P Bittorrent uTP peer request
[**] [Classification: Potential Corporate Privacy Violation] [Priority: 1]
{UDP} 172.16.39.102:23-943 -> 172.16.100.107:60294

09/14-18:55:28.774656  [**] [1:16282:3] PUA-P2P Bittorrent uTP peer request
[**] [Classification: Potential Corporate Privacy Violation] [Priority: 1]
{UDP} 172.16.39.102:23943 -> 172.16.100.107:60294

09/14-18:55:28.774692  [**] [1:16282:3] PUA-P2P Bittorrent uTP peer request
[**] [Classification: Potential Corporate Privacy Violation] [Priority: 1]
{UDP} 172.16.39.102:23943 -> 172.16.100.107:60294

 

I put that sig id into my disablesid.conf, but i continue to get the alerts.
What could be wrong here? What is the correct way of putting the sids-
16282, 1:16282, or 1:16282:3 ?

I also tried putting the category 'VRT-p2p' in disablesid.conf, but no avail
:(

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20120914/72d758bf/attachment.html>


More information about the Snort-users mailing list