[Snort-users] Snort-users Digest, Vol 1, Issue 5

Suresh Manjanath smanjanath at yahoo.com
Fri Jun 16 12:09:43 EDT 2017


Unsubscribe 

Sent from my iPhone

> On Jun 16, 2017, at 12:00 PM, snort-users-request at lists.snort.org wrote:
> 
> Send Snort-users mailing list submissions to
>    snort-users at lists.snort.org
> 
> To subscribe or unsubscribe via the World Wide Web, visit
>    https://lists.snort.org/mailman/listinfo/snort-users
> or, via email, send a message with subject or body 'help' to
>    snort-users-request at lists.snort.org
> 
> You can reach the person managing the list at
>    snort-users-owner at lists.snort.org
> 
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Snort-users digest..."
> 
> 
> When responding, please don't respond with the entire Digest.  Please trim your response.
> 
> 
> Today's Topics:
> 
>   1. Re: Pulledpork Modify Rules Automatically (James Lay)
>   2. Re: Snort-users Digest, Vol 1, Issue 4 (Andhika Arya)
> 
> 
> ----------------------------------------------------------------------
> 
> Message: 1
> Date: Thu, 15 Jun 2017 12:08:06 -0600
> From: James Lay <jlay at slave-tothe-box.net>
> To: snort-users at lists.snort.org
> Subject: Re: [Snort-users] Pulledpork Modify Rules Automatically
> Message-ID: <7027bac23559edf89f1708d705f258ff at localhost>
> Content-Type: text/plain; charset="us-ascii"
> 
> Excellent! 
> 
> James 
> 
>> On 2017-06-15 09:10, Jim Campbell wrote:
>> 
>> James,
>> 
>> Thanks for the reply and the pointer to the site. Those instructions would allow me to drop specific rules. What I wanted to do is to drop any packet that alerted, then except specific rules that I want to allow. Something like the inverse of what your site specified. I did some searching on the internet and found the following site:
>> 
>> https://s3.amazonaws.com/snort-org-site/production/document_files/files/000/000/013/original/Snort_IPS_using_DAQ_AFPacket.pdf
>> 
>> I realize that my original question specified Pulledpork. I wasn't aware that Snort being properly configured could do IPS all by itself. Snort is now doing what I want it to do.
>> 
>> Thanks again,
>> 
>> Jim
>> 
>> On 6/14/2017 9:54 PM, James Lay wrote: 
>> On Wed, 2017-06-14 at 21:42 -0400, Jim Campbell wrote: 
>> 
>> Since I last posted here I ended up formatting my hard drive, installing 
>> the latest Ubuntu and installing Snort in IPS mode. However, at the end 
>> of the tutorial on 
>> http://sublimerobots.com/2016/02/snort-ips-inline-mode-on-ubuntu/ it 
>> shows you how to modify the single local rule to drop rather than alert. 
>> There is mention of a future page that will tell how to have Pulledpork 
>> automatically modify all the rules to drop.
>> 
>> My setup is running in inline mode but so far hasn't reported any 
>> packets being flagged. I could sure use some help.
>> 
>> Thanks,
>> 
>> Jim
>> 
>> Dropsid.conf is where you'll want to look: 
>> 
>> https://github.com/shirkdog/pulledpork/blob/master/etc/dropsid.conf 
>> 
>> James 
>> 
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.snort.org
>> Go to this URL to change user options or unsubscribe:
>> https://lists.snort.org/mailman/listinfo/snort-users
>> 
>> Please visit http://blog.snort.org to stay current on all the latest Snort news!
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.snort.org
> Go to this URL to change user options or unsubscribe:
> https://lists.snort.org/mailman/listinfo/snort-users
> 
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news! 
> 
> 
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: <https://lists.snort.org/mailman/private/snort-users/attachments/20170615/8ee362d6/attachment-0001.html>
> 
> ------------------------------
> 
> Message: 2
> Date: Fri, 16 Jun 2017 11:21:18 +0700
> From: Andhika Arya <dhika.ac at gmail.com>
> To: snort-users at lists.snort.org
> Subject: Re: [Snort-users] Snort-users Digest, Vol 1, Issue 4
> Message-ID:
>    <CAM1AxCL0wShEsPG1+aS_=6hd1ZLbrn6HmrasC+X50cOPTiOUzA at mail.gmail.com>
> Content-Type: text/plain; charset="utf-8"
> 
>> On 15 Jun 2017 23:05, <snort-users-request at lists.snort.org> wrote:
>> 
>> Send Snort-users mailing list submissions to
>>        snort-users at lists.snort.org
>> 
>> To subscribe or unsubscribe via the World Wide Web, visit
>>        https://lists.snort.org/mailman/listinfo/snort-users
>> or, via email, send a message with subject or body 'help' to
>>        snort-users-request at lists.snort.org
>> 
>> You can reach the person managing the list at
>>        snort-users-owner at lists.snort.org
>> 
>> When replying, please edit your Subject line so it is more specific
>> than "Re: Contents of Snort-users digest..."
>> 
>> 
>> When responding, please don't respond with the entire Digest.  Please trim
>> your response.
>> 
>> 
>> Today's Topics:
>> 
>>   1. Pulledpork Modify Rules Automatically (Jim Campbell)
>>   2. Re: Pulledpork Modify Rules Automatically (James Lay)
>>   3. Re: Pulledpork Modify Rules Automatically (Jim Campbell)
>> 
>> 
>> ----------------------------------------------------------------------
>> 
>> Message: 1
>> Date: Wed, 14 Jun 2017 21:42:23 -0400
>> From: Jim Campbell <jim at w4bqp.net>
>> To: snort-users at lists.snort.org
>> Subject: [Snort-users] Pulledpork Modify Rules Automatically
>> Message-ID: <245afd3b-f98b-3312-9007-96939c862ab5 at w4bqp.net>
>> Content-Type: text/plain; charset=utf-8; format=flowed
>> 
>> Since I last posted here I ended up formatting my hard drive, installing
>> the latest Ubuntu and installing Snort in IPS mode. However, at the end
>> of the tutorial on
>> http://sublimerobots.com/2016/02/snort-ips-inline-mode-on-ubuntu/ it
>> shows you how to modify the single local rule to drop rather than alert.
>> There is mention of a future page that will tell how to have Pulledpork
>> automatically modify all the rules to drop.
>> 
>> My setup is running in inline mode but so far hasn't reported any
>> packets being flagged. I could sure use some help.
>> 
>> Thanks,
>> 
>> Jim
>> 
>> --
>> "We are not human beings having a spiritual experience;
>> we are spiritual beings having a human experience."
>> ---Pierre Teilhard de Chardin
>> 
>> 
>> 
>> ------------------------------
>> 
>> Message: 2
>> Date: Wed, 14 Jun 2017 19:54:01 -0600
>> From: James Lay <jlay at slave-tothe-box.net>
>> To: snort-users at lists.snort.org
>> Subject: Re: [Snort-users] Pulledpork Modify Rules Automatically
>> Message-ID: <1497491641.2275.3.camel at slave-tothe-box.net>
>> Content-Type: text/plain; charset="utf-8"
>> 
>>> On Wed, 2017-06-14 at 21:42 -0400, Jim Campbell wrote:
>>> Since I last posted here I ended up formatting my hard drive,
>>> installing?
>>> the latest Ubuntu and installing Snort in IPS mode. However, at the
>>> end?
>>> of the tutorial on?
>>> http://sublimerobots.com/2016/02/snort-ips-inline-mode-on-ubuntu/ it?
>>> shows you how to modify the single local rule to drop rather than
>>> alert.?
>>> There is mention of a future page that will tell how to have
>>> Pulledpork?
>>> automatically modify all the rules to drop.
>>> 
>>> My setup is running in inline mode but so far hasn't reported any?
>>> packets being flagged. I could sure use some help.
>>> 
>>> Thanks,
>>> 
>>> Jim
>>> 
>> Dropsid.conf is where you'll want to look:
>> https://github.com/shirkdog/pulledpork/blob/master/etc/dropsid.conf
>> James
>> -------------- next part --------------
>> An HTML attachment was scrubbed...
>> URL: <https://lists.snort.org/mailman/private/snort-users/
>> attachments/20170614/90cd5dca/attachment-0001.html>
>> 
>> ------------------------------
>> 
>> Message: 3
>> Date: Thu, 15 Jun 2017 11:10:33 -0400
>> From: Jim Campbell <jim at w4bqp.net>
>> To: snort-users at lists.snort.org
>> Subject: Re: [Snort-users] Pulledpork Modify Rules Automatically
>> Message-ID: <d35efbd4-7b73-ad0b-e747-dafdfe12838b at w4bqp.net>
>> Content-Type: text/plain; charset="utf-8"; Format="flowed"
>> 
>> James,
>> 
>> Thanks for the reply and the pointer to the site. Those instructions
>> would allow me to drop specific rules. What I wanted to do is to drop
>> any packet that alerted, then except specific rules that I want to
>> allow. Something like the inverse of what your site specified. I did
>> some searching on the internet and found the following site:
>> 
>> https://s3.amazonaws.com/snort-org-site/production/
>> document_files/files/000/000/013/original/Snort_IPS_using_DAQ_AFPacket.pdf
>> 
>> I realize that my original question specified Pulledpork. I wasn't aware
>> that Snort being properly configured could do IPS all by itself. Snort
>> is now doing what I want it to do.
>> 
>> Thanks again,
>> 
>> Jim
>> 
>>> On 6/14/2017 9:54 PM, James Lay wrote:
>>>> On Wed, 2017-06-14 at 21:42 -0400, Jim Campbell wrote:
>>>> Since I last posted here I ended up formatting my hard drive, installing
>>>> the latest Ubuntu and installing Snort in IPS mode. However, at the end
>>>> of the tutorial on
>>>> http://sublimerobots.com/2016/02/snort-ips-inline-mode-on-ubuntu/  it
>>>> shows you how to modify the single local rule to drop rather than alert.
>>>> There is mention of a future page that will tell how to have Pulledpork
>>>> automatically modify all the rules to drop.
>>>> 
>>>> My setup is running in inline mode but so far hasn't reported any
>>>> packets being flagged. I could sure use some help.
>>>> 
>>>> Thanks,
>>>> 
>>>> Jim
>>>> 
>>> 
>>> Dropsid.conf is where you'll want to look:
>>> 
>>> https://github.com/shirkdog/pulledpork/blob/master/etc/dropsid.conf
>>> 
>>> James
>>> 
>>> 
>>> _______________________________________________
>>> Snort-users mailing list
>>> Snort-users at lists.snort.org
>>> Go to this URL to change user options or unsubscribe:
>>> https://lists.snort.org/mailman/listinfo/snort-users
>>> 
>>> Please visit http://blog.snort.org to stay current on all the latest
>> Snort news!
>> 
>> -------------- next part --------------
>> An HTML attachment was scrubbed...
>> URL: <https://lists.snort.org/mailman/private/snort-users/
>> attachments/20170615/a652b834/attachment-0001.html>
>> 
>> ------------------------------
>> 
>> Subject: Digest Footer
>> 
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.snort.org
>> https://lists.snort.org/mailman/listinfo/snort-users
>> 
>> 
>> ------------------------------
>> 
>> End of Snort-users Digest, Vol 1, Issue 4
>> *****************************************
>> 
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: <https://lists.snort.org/mailman/private/snort-users/attachments/20170616/44e109c2/attachment-0001.html>
> 
> ------------------------------
> 
> Subject: Digest Footer
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.snort.org
> https://lists.snort.org/mailman/listinfo/snort-users
> 
> 
> ------------------------------
> 
> End of Snort-users Digest, Vol 1, Issue 5
> *****************************************




More information about the Snort-users mailing list