[Snort-users] Using pulled pork to change rule state from alert to drop for a policy type

Yossi Nachum nachum234 at ...11827...
Sun Mar 24 16:24:00 EDT 2013


I am using regex to do that.

something like:
pcre:security-ips\s*drop

Yossi Nachum

On Sun, Mar 24, 2013 at 7:41 PM, Tony Robinson
<deusexmachina667 at ...11827...>wrote:

> Hello Folks,
>
> I'm doing some experimentation with snort. I'm trying to document
> effective ways to transition a passive snort installation into an inline
> mode installation. Near as far as I can tell, there are a few key things
> you need to do with a modern snort installation to transition it to inline
> mode:
>
> 1. Configure DAQ for inline mode operation (e.g. afpacket and the
> interfaces you want to bridge
>
> 2. Ensure the interfaces are configured to be up at boot and ready to
> forward traffic.
>
> 3.Test to ensure the interfaces are forwarding traffic as expected.
>
> 4. Modify your snort command line to add the -Q option, and your
> snort.conf with config policy_mode:inline
>
> 5. Modify your snort rules to drop traffic in inline mode.
>
> My question revolves around 5. I'm well aware that pulled pork, via
> dropsid.conf, can be used to change alert rules to drop rules. I'm worried
> about haphazardly changing all the rules in my snort.rules file to DROP ALL
> THE THINGS.
>
> What I would like to do: If I see a rule with policy metadata that
> recommends the rule be set to drop, I want to change that rule from alert
> to drop. Let's pick on sid 1:10011 -- SERVER-MAIL Novell NetMail APPEND
> command buffer overflow attempt, just to illustrate what I'm trying to do.
>
> It has the line "metadata:policy security-ips drop" indicating that: "If
> the user is using a security over connectivity ruleset, this would make a
> good drop rule in that rule policy configuration."
>
> If I am using a given rule policy configuration in pulled pork (balanced,
> connectivity or security), and I see a rule with metadata that indicates a
> given rule would make a good drop rule for that policy ruleset (metadata:
> policy balanced-ips || policy connectivity-ips || policy security-ips)  , I
> want to use pulledpork to change it to a drop rule. Is there an effective
> way to do this?
>
> If there is not, I think this would make for an awesome feature request in
> PP.
>
> --
> when does reality end? when does fantasy begin?
>
> ------------------------------------------------------------------------------
> Everyone hates slow websites. So do we.
> Make your web apps faster with AppDynamics
> Download AppDynamics Lite for free today:
> http://p.sf.net/sfu/appdyn_d2d_mar
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20130324/19acb6c9/attachment.html>


More information about the Snort-users mailing list