[Snort-users] Snort-users Digest, Vol 1, Issue 4

Andhika Arya dhika.ac at gmail.com
Fri Jun 16 00:21:18 EDT 2017


On 15 Jun 2017 23:05, <snort-users-request at lists.snort.org> wrote:

> Send Snort-users mailing list submissions to
>         snort-users at lists.snort.org
>
> To subscribe or unsubscribe via the World Wide Web, visit
>         https://lists.snort.org/mailman/listinfo/snort-users
> or, via email, send a message with subject or body 'help' to
>         snort-users-request at lists.snort.org
>
> You can reach the person managing the list at
>         snort-users-owner at lists.snort.org
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Snort-users digest..."
>
>
> When responding, please don't respond with the entire Digest.  Please trim
> your response.
>
>
> Today's Topics:
>
>    1. Pulledpork Modify Rules Automatically (Jim Campbell)
>    2. Re: Pulledpork Modify Rules Automatically (James Lay)
>    3. Re: Pulledpork Modify Rules Automatically (Jim Campbell)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Wed, 14 Jun 2017 21:42:23 -0400
> From: Jim Campbell <jim at w4bqp.net>
> To: snort-users at lists.snort.org
> Subject: [Snort-users] Pulledpork Modify Rules Automatically
> Message-ID: <245afd3b-f98b-3312-9007-96939c862ab5 at w4bqp.net>
> Content-Type: text/plain; charset=utf-8; format=flowed
>
> Since I last posted here I ended up formatting my hard drive, installing
> the latest Ubuntu and installing Snort in IPS mode. However, at the end
> of the tutorial on
> http://sublimerobots.com/2016/02/snort-ips-inline-mode-on-ubuntu/ it
> shows you how to modify the single local rule to drop rather than alert.
> There is mention of a future page that will tell how to have Pulledpork
> automatically modify all the rules to drop.
>
> My setup is running in inline mode but so far hasn't reported any
> packets being flagged. I could sure use some help.
>
> Thanks,
>
> Jim
>
> --
> "We are not human beings having a spiritual experience;
> we are spiritual beings having a human experience."
> ---Pierre Teilhard de Chardin
>
>
>
> ------------------------------
>
> Message: 2
> Date: Wed, 14 Jun 2017 19:54:01 -0600
> From: James Lay <jlay at slave-tothe-box.net>
> To: snort-users at lists.snort.org
> Subject: Re: [Snort-users] Pulledpork Modify Rules Automatically
> Message-ID: <1497491641.2275.3.camel at slave-tothe-box.net>
> Content-Type: text/plain; charset="utf-8"
>
> On Wed, 2017-06-14 at 21:42 -0400, Jim Campbell wrote:
> > Since I last posted here I ended up formatting my hard drive,
> > installing?
> > the latest Ubuntu and installing Snort in IPS mode. However, at the
> > end?
> > of the tutorial on?
> > http://sublimerobots.com/2016/02/snort-ips-inline-mode-on-ubuntu/ it?
> > shows you how to modify the single local rule to drop rather than
> > alert.?
> > There is mention of a future page that will tell how to have
> > Pulledpork?
> > automatically modify all the rules to drop.
> >
> > My setup is running in inline mode but so far hasn't reported any?
> > packets being flagged. I could sure use some help.
> >
> > Thanks,
> >
> > Jim
> >
> Dropsid.conf is where you'll want to look:
> https://github.com/shirkdog/pulledpork/blob/master/etc/dropsid.conf
> James
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: <https://lists.snort.org/mailman/private/snort-users/
> attachments/20170614/90cd5dca/attachment-0001.html>
>
> ------------------------------
>
> Message: 3
> Date: Thu, 15 Jun 2017 11:10:33 -0400
> From: Jim Campbell <jim at w4bqp.net>
> To: snort-users at lists.snort.org
> Subject: Re: [Snort-users] Pulledpork Modify Rules Automatically
> Message-ID: <d35efbd4-7b73-ad0b-e747-dafdfe12838b at w4bqp.net>
> Content-Type: text/plain; charset="utf-8"; Format="flowed"
>
> James,
>
> Thanks for the reply and the pointer to the site. Those instructions
> would allow me to drop specific rules. What I wanted to do is to drop
> any packet that alerted, then except specific rules that I want to
> allow. Something like the inverse of what your site specified. I did
> some searching on the internet and found the following site:
>
> https://s3.amazonaws.com/snort-org-site/production/
> document_files/files/000/000/013/original/Snort_IPS_using_DAQ_AFPacket.pdf
>
> I realize that my original question specified Pulledpork. I wasn't aware
> that Snort being properly configured could do IPS all by itself. Snort
> is now doing what I want it to do.
>
> Thanks again,
>
> Jim
>
> On 6/14/2017 9:54 PM, James Lay wrote:
> > On Wed, 2017-06-14 at 21:42 -0400, Jim Campbell wrote:
> >> Since I last posted here I ended up formatting my hard drive, installing
> >> the latest Ubuntu and installing Snort in IPS mode. However, at the end
> >> of the tutorial on
> >> http://sublimerobots.com/2016/02/snort-ips-inline-mode-on-ubuntu/  it
> >> shows you how to modify the single local rule to drop rather than alert.
> >> There is mention of a future page that will tell how to have Pulledpork
> >> automatically modify all the rules to drop.
> >>
> >> My setup is running in inline mode but so far hasn't reported any
> >> packets being flagged. I could sure use some help.
> >>
> >> Thanks,
> >>
> >> Jim
> >>
> >
> > Dropsid.conf is where you'll want to look:
> >
> > https://github.com/shirkdog/pulledpork/blob/master/etc/dropsid.conf
> >
> > James
> >
> >
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.snort.org
> > Go to this URL to change user options or unsubscribe:
> > https://lists.snort.org/mailman/listinfo/snort-users
> >
> > Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
>
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: <https://lists.snort.org/mailman/private/snort-users/
> attachments/20170615/a652b834/attachment-0001.html>
>
> ------------------------------
>
> Subject: Digest Footer
>
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.snort.org
> https://lists.snort.org/mailman/listinfo/snort-users
>
>
> ------------------------------
>
> End of Snort-users Digest, Vol 1, Issue 4
> *****************************************
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20170616/44e109c2/attachment.html>


More information about the Snort-users mailing list