[Snort-users] Snort / Rules / Pulled Pork
pdobrien3 at gmail.com
Sat Sep 16 09:20:32 EDT 2017
> Ok, slowly I am trying to figure this out.
> I run Pi-hole on a Raspberry Pi on my network. I believe it is the reason why I am getting multiple "protocol dns tmg firewall client long host entry exploit attempt-19187" alerts.
> The source ip for all the alerts are my internet service providers DNS servers along with to ip of my Pi-hole Raspberry Pi. So, I need a simple filter for this rule correct?
> I figure I need this:
> suppress gen_id 3, sig_id 19187 track by_src, ip 18.104.22.168,22.214.171.124
> I ended up trying it in several different locations including snort.conf and local.rules without any affect. Last night, I put the statement at the bottom of snort.rules, which is where all the pulled pork rules are. IT WORKED :-).
I woke up this am, hoping to continue eliminating some of my false positive through this method and my additions were no longer at the bottom of the pulled pork/snort.rules list. The false positives are still being enforced though.
I realize I am new and asking some really noob questions. I always try and find the answers on the internet, problem is, I end up with old information.
Any assistance greatly appreciated
"Better is a poor man who walks in his integrity than a rich man who is crooked in his ways." - Proverbs 28:6
Sent from my iPad
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-users