[Snort-users] Using pulled pork to change rule state from alert to drop for a policy type

Tony Robinson deusexmachina667 at ...11827...
Wed Mar 27 16:53:04 EDT 2013


I know it's a little bit delayed (I've been insanely busy these days), but
I wanted to let you all know that I appreciate the feedback.

On Mon, Mar 25, 2013 at 12:19 PM, waldo kitty <wkitty42 at ...14940...>wrote:

> On 3/24/2013 12:41, Tony Robinson wrote:
> > 5. Modify your snort rules to drop traffic in inline mode.
> >
> > My question revolves around 5. I'm well aware that pulled pork, via
> > dropsid.conf, can be used to change alert rules to drop rules. I'm
> worried about
> > haphazardly changing all the rules in my snort.rules file to DROP ALL
> THE THINGS.
>
> there's two (2) camps to this particular question...
>
> 1. are you running the novell netmail server (mentioned in next quoted
> paragraph) on your network? is it patched up to date and is fixed for this
> specific flaw? if the answer is "yes", then you don't need to run this
> rule, do
> you? for one thing, not loading this rule will lower snort's memory
> footprint as
> well as increasing snort's processing speed since it doesn't have to
> process the
> rule. so run only those rules that pertain to your network and the
> equipment and
> servers allowed to run on it...
>
> 2. i'm kinda in the other camp... if someone is sending bad data to my
> system, i
> want to know about it... don't shake (test) the door knob on my front door
> to
> see if it is opened for you to just walk in... if you try to connect to
> mssql on
> my network from outside my network, i want to know about it... a) there's
> no
> reason for someone outside my network to try to connect to any sql servers
> there
> may be on my network, b) sql servers should not face the world wild whirl
> and c)
> how would you know there was a server there unless you've been probing and
> hunting for holes in which case, you are definitely up to no good and will
> be
> blocked...
>
> > What I would like to do: If I see a rule with policy metadata that
> recommends
> > the rule be set to drop, I want to change that rule from alert to drop.
> Let's
> > pick on sid 1:10011 -- SERVER-MAIL Novell NetMail APPEND command buffer
> overflow
> > attempt, just to illustrate what I'm trying to do.
>
> see above camp 1 unless you are in camp 2 ;)
>
> > It has the line "metadata:policy security-ips drop" indicating that: "If
> the
> > user is using a security over connectivity ruleset, this would make a
> good drop
> > rule in that rule policy configuration."
>
> ok...
>
> > If I am using a given rule policy configuration in pulled pork (balanced,
> > connectivity or security), and I see a rule with metadata that indicates
> a given
> > rule would make a good drop rule for that policy ruleset (metadata:
> policy
> > balanced-ips || policy connectivity-ips || policy security-ips)  , I
> want to use
> > pulledpork to change it to a drop rule. Is there an effective way to do
> this?
> >
> > If there is not, I think this would make for an awesome feature request
> in PP.
>
> i'll let others speak on this since i don't (yet) use pulledpork... i
> don't yet
> know how i would do it in my package but i have a rough idea... if PP
> doesn't
> have it, i agree that it would be a nice feature...
>
>
> ------------------------------------------------------------------------------
> Everyone hates slow websites. So do we.
> Make your web apps faster with AppDynamics
> Download AppDynamics Lite for free today:
> http://p.sf.net/sfu/appdyn_d2d_mar
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
>



-- 
when does reality end? when does fantasy begin?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20130327/9bf06c43/attachment.html>


More information about the Snort-users mailing list