[Snort-users] problems with PP

Joel Esler jesler at ...1935...
Fri Sep 14 10:02:59 EDT 2012


Yes, there is an option to make Pulledpork only process locally.  I suggest a quick read of --help when you start pulledpork.

Thanks

--
Joel Esler
Senior Research Engineer, VRT
OpenSource Community Manager
Sourcefire

On Sep 14, 2012, at 9:43 AM, Pratik Narang <pratik.cse.bits at ...11827...> wrote:

> Sorry for the trouble guys, the problem is resolved- I did not run PP after making changes to the disablesid file!!
> But this throws up another problem- I run Snort on a system which receives a netflow (or is it IPFIX?) and hence is not connected to the internet. But whenver PP starts, it tries to connect to the internet to look for new rules. Any suggestions for a work-around for this? It is not vey neat to keep plugging the neighboring system's ethernet cable to connect to the internet and run PP for every single rule I wish to add to enablesid.conf/disablesid.conf etc. Cant I make PP just do these 'local tasks' and not let it check for new rules? :)
> 
> On Fri, Sep 14, 2012 at 7:00 PM, Pratik Narang <pratik.cse.bits at ...14459.....> wrote:
> I enabled the 'security' policy via PP and have been getting these kinds of alerts by the dozen :
> 
> 09/14-18:55:28.774651  [**] [1:16282:3] PUA-P2P Bittorrent uTP peer request  [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {UDP} 172.16.39.102:23943 -> 172.16.100.107:60294
> 09/14-18:55:28.774654  [**] [1:16282:3] PUA-P2P Bittorrent uTP peer request  [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {UDP} 172.16.39.102:23-943 -> 172.16.100.107:60294
> 09/14-18:55:28.774656  [**] [1:16282:3] PUA-P2P Bittorrent uTP peer request  [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {UDP} 172.16.39.102:23943 -> 172.16.100.107:60294
> 09/14-18:55:28.774692  [**] [1:16282:3] PUA-P2P Bittorrent uTP peer request  [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {UDP} 172.16.39.102:23943 -> 172.16.100.107:60294
> 
> I put that sig id into my disablesid.conf, but i continue to get the alerts. What could be wrong here? What is the correct way of putting the sids- 16282, 1:16282, or 1:16282:3 ?
> I also tried putting the category 'VRT-p2p' in disablesid.conf, but no avail :(
> 
> ------------------------------------------------------------------------------
> Got visibility?
> Most devs has no idea what their production app looks like.
> Find out how fast your code is with AppDynamics Lite.
> http://ad.doubleclick.net/clk;262219671;13503038;y?
> http://info.appdynamics.com/FreeJavaPerformanceDownload.html_______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 
> Please visit http://blog.snort.org to stay current on all the latest Snort news!

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20120914/675d6124/attachment.html>


More information about the Snort-users mailing list