[Snort-users] BASE

Dan O'Brien pdobrien3 at gmail.com
Thu Sep 14 14:35:55 EDT 2017


Ok, slowly I am trying to figure this out. 

I run Pi-hole on a Raspberry Pi on my network. I believe it is the reason why I am getting multiple "protocol dns tmg firewall client long host entry exploit attempt-19187" alerts.

The source ip for all the alerts are my internet service providers DNS servers along with to ip of my Pi-hole Raspberry Pi. So, I need a simple filter for this rule correct?

I figure I need this:
suppress gen_id 1, sig_id 19187 track by_src, ip 24.25.5.60,24.25.5.61 

1) Will this work? 
2) Where does it go? Snort.conf?
3) Can I list multiple comma separated IPs or a new line for each IP?

Thanks in advance for any assistance. 

Thanks,
Dan
(770) 624-1010
pdobrien3 at gmail.com

"Better is a poor man who walks in his integrity than a rich man who is crooked in his ways." - Proverbs 28:6

Sent from my iPad

> On Sep 10, 2017, at 2:29 PM, Ron Sinclair via Snort-users <snort-users at lists.snort.org> wrote:
> 
> You'd have to tune Snort itself (rules and/or processors), not BASE.  BASE will allow you to see/manipulate the alerts, but that's about it.
> 
> Ron Sinclair
> unixfool at gmail.com
> 
> 
>> On Sat, Sep 9, 2017 at 6:49 PM, Dan O'Brien via Snort-users <snort-users at lists.snort.org> wrote:
>> All,
>> 
>> If I am posting off-topic, please let me know. I have installed snort, barnyard2, oinkmaster, and BASE.  Everything seems to be working very well.  I followed one of the how-toos on the snort site. I am slowly learning and have tried several IDS without success. The config I have now seems to be stable and I am very happy with it. I just need to start configuring BASE and I can not find any help on the web. I need to start learning how to tell BAE what is significant and what is not and to alert me on important stuff. I would also like to try and get some of the graph stuff working as it doesn't seem to work. 
>> 
>> This is the guide I followed. 
>> 
>> https://s3.amazonaws.com/snort-org-site/production/document_files/files/000/000/122/original/Snort_2.9.9.x_on_Ubuntu_14-16.pdf?AWSAccessKeyId=AKIAIXACIED2SPMSC7GA&Expires=1505000935&Signature=Z7Tc484O02UTenkqQPax%2BFythyE%3D
>> 
>> Thanks,
>> Dan
>> (770) 624-1010
>> pdobrien3 at gmail.com
>> 
>> "Better is a poor man who walks in his integrity than a rich man who is crooked in his ways." - Proverbs 28:6
>> 
>> Sent from my iPad
>> 
>> 
>> Thanks,
>> Dan
>> (770) 624-1010
>> pdobrien3 at gmail.com
>> 
>> "Better is a poor man who walks in his integrity than a rich man who is crooked in his ways." - Proverbs 28:6
>> 
>> Sent from my iPad
>> 
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.snort.org
>> Go to this URL to change user options or unsubscribe:
>> https://lists.snort.org/mailman/listinfo/snort-users
>> 
>> Please visit http://blog.snort.org to stay current on all the latest Snort news!
>> 
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.snort.org
> Go to this URL to change user options or unsubscribe:
> https://lists.snort.org/mailman/listinfo/snort-users
> 
> Please visit http://blog.snort.org to stay current on all the latest Snort news!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20170914/34f32410/attachment.html>


More information about the Snort-users mailing list