[Snort-users] Snort-users Digest, Vol 1, Issue 4

tantioification . tantio86 at gmail.com
Sat Jun 17 21:52:50 EDT 2017


Hi Jim,

Could you tell me how to drop any packet that alerted automatically with
pulledpork?
in your last post you seem to be successful..
would you sharing to me?

On Thu, Jun 15, 2017 at 11:00 PM, <snort-users-request at lists.snort.org>
wrote:

> Send Snort-users mailing list submissions to
>         snort-users at lists.snort.org
>
> To subscribe or unsubscribe via the World Wide Web, visit
>         https://lists.snort.org/mailman/listinfo/snort-users
> or, via email, send a message with subject or body 'help' to
>         snort-users-request at lists.snort.org
>
> You can reach the person managing the list at
>         snort-users-owner at lists.snort.org
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Snort-users digest..."
>
>
> When responding, please don't respond with the entire Digest.  Please trim
> your response.
>
>
> Today's Topics:
>
>    1. Pulledpork Modify Rules Automatically (Jim Campbell)
>    2. Re: Pulledpork Modify Rules Automatically (James Lay)
>    3. Re: Pulledpork Modify Rules Automatically (Jim Campbell)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Wed, 14 Jun 2017 21:42:23 -0400
> From: Jim Campbell <jim at w4bqp.net>
> To: snort-users at lists.snort.org
> Subject: [Snort-users] Pulledpork Modify Rules Automatically
> Message-ID: <245afd3b-f98b-3312-9007-96939c862ab5 at w4bqp.net>
> Content-Type: text/plain; charset=utf-8; format=flowed
>
> Since I last posted here I ended up formatting my hard drive, installing
> the latest Ubuntu and installing Snort in IPS mode. However, at the end
> of the tutorial on
> http://sublimerobots.com/2016/02/snort-ips-inline-mode-on-ubuntu/ it
> shows you how to modify the single local rule to drop rather than alert.
> There is mention of a future page that will tell how to have Pulledpork
> automatically modify all the rules to drop.
>
> My setup is running in inline mode but so far hasn't reported any
> packets being flagged. I could sure use some help.
>
> Thanks,
>
> Jim
>
> --
> "We are not human beings having a spiritual experience;
> we are spiritual beings having a human experience."
> ---Pierre Teilhard de Chardin
>
>
>
> ------------------------------
>
> Message: 2
> Date: Wed, 14 Jun 2017 19:54:01 -0600
> From: James Lay <jlay at slave-tothe-box.net>
> To: snort-users at lists.snort.org
> Subject: Re: [Snort-users] Pulledpork Modify Rules Automatically
> Message-ID: <1497491641.2275.3.camel at slave-tothe-box.net>
> Content-Type: text/plain; charset="utf-8"
>
> On Wed, 2017-06-14 at 21:42 -0400, Jim Campbell wrote:
> > Since I last posted here I ended up formatting my hard drive,
> > installing?
> > the latest Ubuntu and installing Snort in IPS mode. However, at the
> > end?
> > of the tutorial on?
> > http://sublimerobots.com/2016/02/snort-ips-inline-mode-on-ubuntu/ it?
> > shows you how to modify the single local rule to drop rather than
> > alert.?
> > There is mention of a future page that will tell how to have
> > Pulledpork?
> > automatically modify all the rules to drop.
> >
> > My setup is running in inline mode but so far hasn't reported any?
> > packets being flagged. I could sure use some help.
> >
> > Thanks,
> >
> > Jim
> >
> Dropsid.conf is where you'll want to look:
> https://github.com/shirkdog/pulledpork/blob/master/etc/dropsid.conf
> James
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: <https://lists.snort.org/mailman/private/snort-users/
> attachments/20170614/90cd5dca/attachment-0001.html>
>
> ------------------------------
>
> Message: 3
> Date: Thu, 15 Jun 2017 11:10:33 -0400
> From: Jim Campbell <jim at w4bqp.net>
> To: snort-users at lists.snort.org
> Subject: Re: [Snort-users] Pulledpork Modify Rules Automatically
> Message-ID: <d35efbd4-7b73-ad0b-e747-dafdfe12838b at w4bqp.net>
> Content-Type: text/plain; charset="utf-8"; Format="flowed"
>
> James,
>
> Thanks for the reply and the pointer to the site. Those instructions
> would allow me to drop specific rules. What I wanted to do is to drop
> any packet that alerted, then except specific rules that I want to
> allow. Something like the inverse of what your site specified. I did
> some searching on the internet and found the following site:
>
> https://s3.amazonaws.com/snort-org-site/production/
> document_files/files/000/000/013/original/Snort_IPS_using_DAQ_AFPacket.pdf
>
> I realize that my original question specified Pulledpork. I wasn't aware
> that Snort being properly configured could do IPS all by itself. Snort
> is now doing what I want it to do.
>
> Thanks again,
>
> Jim
>
> On 6/14/2017 9:54 PM, James Lay wrote:
> > On Wed, 2017-06-14 at 21:42 -0400, Jim Campbell wrote:
> >> Since I last posted here I ended up formatting my hard drive, installing
> >> the latest Ubuntu and installing Snort in IPS mode. However, at the end
> >> of the tutorial on
> >> http://sublimerobots.com/2016/02/snort-ips-inline-mode-on-ubuntu/  it
> >> shows you how to modify the single local rule to drop rather than alert.
> >> There is mention of a future page that will tell how to have Pulledpork
> >> automatically modify all the rules to drop.
> >>
> >> My setup is running in inline mode but so far hasn't reported any
> >> packets being flagged. I could sure use some help.
> >>
> >> Thanks,
> >>
> >> Jim
> >>
> >
> > Dropsid.conf is where you'll want to look:
> >
> > https://github.com/shirkdog/pulledpork/blob/master/etc/dropsid.conf
> >
> > James
> >
> >
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.snort.org
> > Go to this URL to change user options or unsubscribe:
> > https://lists.snort.org/mailman/listinfo/snort-users
> >
> > Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
>
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: <https://lists.snort.org/mailman/private/snort-users/
> attachments/20170615/a652b834/attachment-0001.html>
>
> ------------------------------
>
> Subject: Digest Footer
>
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.snort.org
> https://lists.snort.org/mailman/listinfo/snort-users
>
>
> ------------------------------
>
> End of Snort-users Digest, Vol 1, Issue 4
> *****************************************
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20170618/56ff10f0/attachment.html>


More information about the Snort-users mailing list