[Snort-users] Snort / Rules / Pulled Pork

Dan O'Brien pdobrien3 at gmail.com
Sat Sep 16 09:20:32 EDT 2017


> Ok, slowly I am trying to figure this out. 
> 
> I run Pi-hole on a Raspberry Pi on my network. I believe it is the reason why I am getting multiple "protocol dns tmg firewall client long host entry exploit attempt-19187" alerts.
> 
> The source ip for all the alerts are my internet service providers DNS servers along with to ip of my Pi-hole Raspberry Pi. So, I need a simple filter for this rule correct?
> 
> I figure I need this:
> suppress gen_id 3, sig_id 19187 track by_src, ip 24.25.5.60,24.25.5.61 
> 
> I ended up trying it in several different locations including snort.conf and local.rules without any affect. Last night, I put the statement at the bottom of snort.rules, which is where all the pulled pork rules are. IT WORKED :-). 

I woke up this am, hoping to continue eliminating some of my false positive through this method and my additions were no longer at the bottom of the pulled pork/snort.rules list. The false positives are still being enforced though. 

I realize I am new and asking some really noob questions. I always try and find the answers on the internet, problem is, I end up with old information. 

Any assistance greatly appreciated 

Thanks,
Dan

"Better is a poor man who walks in his integrity than a rich man who is crooked in his ways." - Proverbs 28:6

Sent from my iPad
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20170916/dbf776c8/attachment.html>


More information about the Snort-users mailing list