[Snort-users] problems with PP

Joel Esler jesler at ...1935...
Fri Sep 14 09:52:37 EDT 2012


You don't have to stop Snort to run pulledpork.

You can run it, then restart Snort, to minimize downtime.  Or, make it reload the ruleset while running.

On Sep 14, 2012, at 9:47 AM, "Michael Steele" <michaels at ...9077...> wrote:

> Anything rule affiliated that is changed, PP has to be re-ran in order to update.
>  
> The  process: Stop Snort, Run PP, Start Snort
>  
> Michael...
>  
> From: Pratik Narang [mailto:pratik.cse.bits at ...11827...] 
> Sent: Friday, September 14, 2012 9:30 AM
> To: snort-users at lists.sourceforge.net
> Subject: [Snort-users] problems with PP
>  
> I enabled the 'security' policy via PP and have been getting these kinds of alerts by the dozen :
>  
> 09/14-18:55:28.774651  [**] [1:16282:3] PUA-P2P Bittorrent uTP peer request  [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {UDP} 172.16.39.102:23943 -> 172.16.100.107:60294
> 09/14-18:55:28.774654  [**] [1:16282:3] PUA-P2P Bittorrent uTP peer request  [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {UDP} 172.16.39.102:23-943 -> 172.16.100.107:60294
> 09/14-18:55:28.774656  [**] [1:16282:3] PUA-P2P Bittorrent uTP peer request  [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {UDP} 172.16.39.102:23943 -> 172.16.100.107:60294
> 09/14-18:55:28.774692  [**] [1:16282:3] PUA-P2P Bittorrent uTP peer request  [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {UDP} 172.16.39.102:23943 -> 172.16.100.107:60294
>  
> I put that sig id into my disablesid.conf, but i continue to get the alerts. What could be wrong here? What is the correct way of putting the sids- 16282, 1:16282, or 1:16282:3 ?
> I also tried putting the category 'VRT-p2p' in disablesid.conf, but no avail :(
> ------------------------------------------------------------------------------
> Got visibility?
> Most devs has no idea what their production app looks like.
> Find out how fast your code is with AppDynamics Lite.
> http://ad.doubleclick.net/clk;262219671;13503038;y?
> http://info.appdynamics.com/FreeJavaPerformanceDownload.html_______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 
> Please visit http://blog.snort.org to stay current on all the latest Snort news!

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20120914/0c7ade34/attachment.html>


More information about the Snort-users mailing list