[Snort-users] Snort / Rules / Pulled Pork

Marcin Dulak marcin.dulak at gmail.com
Sat Sep 16 10:27:27 EDT 2017


On Sat, Sep 16, 2017 at 3:20 PM, Dan O'Brien via Snort-users <
snort-users at lists.snort.org> wrote:

> Ok, slowly I am trying to figure this out.
>
>
> I run Pi-hole on a Raspberry Pi on my network. I believe it is the reason
> why I am getting multiple "protocol dns tmg firewall client long host entry
> exploit attempt-19187" alerts.
>
>
> The source ip for all the alerts are my internet service providers DNS
> servers along with to ip of my Pi-hole Raspberry Pi. So, I need a simple
> filter for this rule correct?
>
>
> I figure I need this:
>
> suppress gen_id 3, sig_id 19187 track by_src, ip 24.25.5.60,24.25.5.61
>
> readable examples are given at
https://www.snort.org/faq/readme-filters
https://github.com/Cisco-Talos/snort-faq/blob/master/docs/README.filters


>
> I ended up trying it in several different locations including snort.conf
> and local.rules without any affect.
>
> snort.conf contains the line
include threshold.conf
where you can write those suppress filters.


> Last night, I put the statement at the bottom of snort.rules, which is
> where all the pulled pork rules are. IT WORKED :-).
>
>
> I woke up this am, hoping to continue eliminating some of my false
> positive through this method and my additions were no longer at the bottom
> of the pulled pork/snort.rules list.
>

pulledpork is configurable to download and update snort.rules - maybe this
is what happened?

Marcin


> The false positives are still being enforced though.
>
> I realize I am new and asking some really noob questions. I always try and
> find the answers on the internet, problem is, I end up with old
> information.
>
> Any assistance greatly appreciated
>
> Thanks,
>
> Dan
>
>
> "Better is a poor man who walks in his integrity than a rich man who is
> crooked in his ways." - Proverbs 28:6
>
>
> Sent from my iPad
>
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.snort.org
> Go to this URL to change user options or unsubscribe:
> https://lists.snort.org/mailman/listinfo/snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20170916/a132d229/attachment.html>


More information about the Snort-users mailing list