[Snort-users] Modifying Rules Works One Direction, but Not T'Other

Joel Esler (jesler) jesler at ...589...
Sat Nov 29 14:29:50 EST 2014



--
Joel Esler
Sent from my iPhone

On Nov 29, 2014, at 2:09 PM, colony.three <colony.three at ...17037...<mailto:colony.three at ...17037...>> wrote:

I've found that the current SecurityOnion has some serious problems.  It does not even -define-:
EXTERNAL_NET
HOME_NET
HTTP_PORTS
... for some reason.  And these are mandatory for the GPL Emerging Threats rules.

These should be defined in any network setup.


I can't report the problems because SO requires G**gle Groups, and I'm not signing up for that.

Further, it's looking like the GPL Emerging Threats rules may not be well-written, which are installed by SecurityOnion.

What is going on with that?

Emerging threats rules generally serve a different purpose than the Snort Subscriber Rule Set.  We recommend you use rules that are important to your network




-------- Original Message --------
Subject: Re: [Snort-users] Modifying Rules Works One Direction, but Not T'Other
Time (GMT): Nov 29 2014 15:50:42
From: joel.esler at ...14399...<mailto:joel.esler at ...14399...>
To: colony.three at ...17037...<mailto:colony.three at ...17037...>
CC: snort-users at lists.sourceforge.net<mailto:snort-users at lists.sourceforge.net>

How about a “pass udp $EXTERNAL_NET any <> 192.168.1.7 any” rule?


> On Nov 27, 2014, at 11:00 PM, colony.three wrote:
>
>
> On 11/27/2014 7:22 PM, colony.three wrote:
> > alert udp $EXTERNAL_NET any <> !192.168.1.7 any (msg:"ET TOR Known Tor
>
> i'm not surprised... you've told snort to alert on all udp traffic in either
> direction that's not for 192.168.1.7... so all traffic from all other machines
> will raise an alert...
>
>
> Fine. I -want- traffic on all other machines to raise an alert.
>
> 192.168.1.7 is the only one running TOR traffic and I want that one to shut up. But it is still alerting on 192.168.1.7 only, as I say. All my other rules are working. And this one worked for one direction but I can't shut up both directions because it dumps out when it finds a rule match.
>
> I am stuck on what to do about this. To me, the way I have the rule crafted, I believe should stop alerts both directions for 192.168.1.7. Snort seems to be misbehaving. But then I only started learning Snort 3 days ago.
>
>
>
>
> ------------------------------------------------------------------------------
> Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
> from Actuate! Instantly Supercharge Your Business Reports and Dashboards
> with Interactivity, Sharing, Native Excel Exports, App Integration & more
> Get technology previously reserved for billion-dollar corporations, FREE
> http://pubads.g.doubleclick.net/gampad/clk?id=157005751&iu=/4140/ostg.clktrk________________________...<http://pubads.g.doubleclick.net/gampad/clk?id=157005751&iu=/4140/ostg.clktrk_______________________________________________>
> Snort-users mailing list
> Snort-users at lists.sourceforge.net<mailto:Snort-users at lists.sourceforge.net>
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest Snort news!



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20141129/4874d0c1/attachment.html>


More information about the Snort-users mailing list