[Snort-users] Using pulled pork to change rule state from alert to drop for a policy type

waldo kitty wkitty42 at ...14940...
Mon Mar 25 12:19:10 EDT 2013


On 3/24/2013 12:41, Tony Robinson wrote:
> 5. Modify your snort rules to drop traffic in inline mode.
>
> My question revolves around 5. I'm well aware that pulled pork, via
> dropsid.conf, can be used to change alert rules to drop rules. I'm worried about
> haphazardly changing all the rules in my snort.rules file to DROP ALL THE THINGS.

there's two (2) camps to this particular question...

1. are you running the novell netmail server (mentioned in next quoted 
paragraph) on your network? is it patched up to date and is fixed for this 
specific flaw? if the answer is "yes", then you don't need to run this rule, do 
you? for one thing, not loading this rule will lower snort's memory footprint as 
well as increasing snort's processing speed since it doesn't have to process the 
rule. so run only those rules that pertain to your network and the equipment and 
servers allowed to run on it...

2. i'm kinda in the other camp... if someone is sending bad data to my system, i 
want to know about it... don't shake (test) the door knob on my front door to 
see if it is opened for you to just walk in... if you try to connect to mssql on 
my network from outside my network, i want to know about it... a) there's no 
reason for someone outside my network to try to connect to any sql servers there 
may be on my network, b) sql servers should not face the world wild whirl and c) 
how would you know there was a server there unless you've been probing and 
hunting for holes in which case, you are definitely up to no good and will be 
blocked...

> What I would like to do: If I see a rule with policy metadata that recommends
> the rule be set to drop, I want to change that rule from alert to drop. Let's
> pick on sid 1:10011 -- SERVER-MAIL Novell NetMail APPEND command buffer overflow
> attempt, just to illustrate what I'm trying to do.

see above camp 1 unless you are in camp 2 ;)

> It has the line "metadata:policy security-ips drop" indicating that: "If the
> user is using a security over connectivity ruleset, this would make a good drop
> rule in that rule policy configuration."

ok...

> If I am using a given rule policy configuration in pulled pork (balanced,
> connectivity or security), and I see a rule with metadata that indicates a given
> rule would make a good drop rule for that policy ruleset (metadata: policy
> balanced-ips || policy connectivity-ips || policy security-ips)  , I want to use
> pulledpork to change it to a drop rule. Is there an effective way to do this?
>
> If there is not, I think this would make for an awesome feature request in PP.

i'll let others speak on this since i don't (yet) use pulledpork... i don't yet 
know how i would do it in my package but i have a rough idea... if PP doesn't 
have it, i agree that it would be a nice feature...




More information about the Snort-users mailing list