[Snort-users] Modifying Rules Works One Direction, but Not T'Other

Doug Burks doug.burks at ...11827...
Sat Nov 29 14:33:53 EST 2014


Hi colony.three,

Replies inline.

On Sat, Nov 29, 2014 at 2:09 PM, colony.three
<colony.three at ...17037...> wrote:
> I've found that the current SecurityOnion has some serious problems.  It
> does not even -define-:
> EXTERNAL_NET
> HOME_NET
> HTTP_PORTS
> ... for some reason.

Security Onion does indeed define those variables.  Are you sure
you're looking at the right file?  Are you sure you ran through Setup
properly?  Are you sure you followed our Installation guide?
https://code.google.com/p/security-onion/wiki/Installation

> And these are mandatory for the GPL Emerging Threats
> rules.
>
> I can't report the problems because SO requires G**gle Groups, and I'm not
> signing up for that.

Any particular reason why?  You could always create a Google account
just for Google Groups.

> Further, it's looking like the GPL Emerging Threats rules may not be
> well-written, which are installed by SecurityOnion.
> What is going on with that?

Security Onion allows you to choose Sourcefire VRT or Emerging Threats.


>
>
> -------- Original Message --------
> Subject: Re: [Snort-users] Modifying Rules Works One Direction, but Not
> T'Other
> Time (GMT): Nov 29 2014 15:50:42
> From: joel.esler at ...14399...
> To: colony.three at ...17037...
> CC: snort-users at lists.sourceforge.net
>
> How about a “pass udp $EXTERNAL_NET any <> 192.168.1.7 any” rule?
>
>
>> On Nov 27, 2014, at 11:00 PM, colony.three wrote:
>>
>>
>> On 11/27/2014 7:22 PM, colony.three wrote:
>> > alert udp $EXTERNAL_NET any <> !192.168.1.7 any (msg:"ET TOR Known Tor
>>
>> i'm not surprised... you've told snort to alert on all udp traffic in
>> either
>> direction that's not for 192.168.1.7... so all traffic from all other
>> machines
>> will raise an alert...
>>
>>
>> Fine. I -want- traffic on all other machines to raise an alert.
>>
>> 192.168.1.7 is the only one running TOR traffic and I want that one to
>> shut up. But it is still alerting on 192.168.1.7 only, as I say. All my
>> other rules are working. And this one worked for one direction but I can't
>> shut up both directions because it dumps out when it finds a rule match.
>>
>> I am stuck on what to do about this. To me, the way I have the rule
>> crafted, I believe should stop alerts both directions for 192.168.1.7. Snort
>> seems to be misbehaving. But then I only started learning Snort 3 days ago.
>>
>>
>>
>>
>>
>> ------------------------------------------------------------------------------
>> Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
>> from Actuate! Instantly Supercharge Your Business Reports and Dashboards
>> with Interactivity, Sharing, Native Excel Exports, App Integration & more
>> Get technology previously reserved for billion-dollar corporations, FREE
>>
>> http://pubads.g.doubleclick.net/gampad/clk?id=157005751&iu=/4140/ostg.clktrk________________________...
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>>
>> Please visit http://blog.snort.org to stay current on all the latest Snort
>> news!
>
>
>
>
> ------------------------------------------------------------------------------
> Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
> from Actuate! Instantly Supercharge Your Business Reports and Dashboards
> with Interactivity, Sharing, Native Excel Exports, App Integration & more
> Get technology previously reserved for billion-dollar corporations, FREE
> http://pubads.g.doubleclick.net/gampad/clk?id=157005751&iu=/4140/ostg.clktrk
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest Snort
> news!



-- 
Doug Burks
Need Security Onion Training or Commercial Support?
http://securityonionsolutions.com
Last day to register for 3-Day Training Class in Augusta GA is 12/11!




More information about the Snort-users mailing list