[Snort-users] Snort / Rules / Pulled Pork

Marcin Dulak marcin.dulak at gmail.com
Sat Sep 16 17:49:00 EDT 2017


On Sat, Sep 16, 2017 at 10:35 PM, Dan O'Brien <pdobrien3 at gmail.com> wrote:

> Thank you very much for your response. Please allow me to clarify a couple
> things within your original response.
>
> Thanks,
>
> Dan
>
>
> "Better is a poor man who walks in his integrity than a rich man who is
> crooked in his ways." - Proverbs 28:6
>
>
> Sent from my iPad
>
> On Sep 16, 2017, at 10:27 AM, Marcin Dulak <marcin.dulak at gmail.com> wrote:
>
>
>
> On Sat, Sep 16, 2017 at 3:20 PM, Dan O'Brien via Snort-users <
> snort-users at lists.snort.org> wrote:
>
>> Ok, slowly I am trying to figure this out.
>>
>>
>> I run Pi-hole on a Raspberry Pi on my network. I believe it is the reason
>> why I am getting multiple "protocol dns tmg firewall client long host entry
>> exploit attempt-19187" alerts.
>>
>>
>> The source ip for all the alerts are my internet service providers DNS
>> servers along with to ip of my Pi-hole Raspberry Pi. So, I need a simple
>> filter for this rule correct?
>>
>>
>> I figure I need this:
>>
>> suppress gen_id 3, sig_id 19187 track by_src, ip 24.25.5.60,24.25.5.61
>>
>> readable examples are given at
> https://www.snort.org/faq/readme-filters
> https://github.com/Cisco-Talos/snort-faq/blob/master/docs/README.filters
>
>
> Thank you for this, this is where I actually learned the suppress command
> I used but this is confusing (see below).
>
>
>
>>
>> I ended up trying it in several different locations including snort.conf
>> and local.rules without any affect.
>>
>> snort.conf contains the line
> include threshold.conf
> where you can write those suppress filters.
>
> The link above indicates that thresholding is being deprecated.  I
> originally believed that in the future, threshold.conf would be going
> bye-bye so using it now would be counter productive. Before writing this
> response, I again re-read the filter readme and the second time I think I
> read it differently. The second time I read it, I understood that the
> standalone threshold statement would be deprecated. Is this different than
> using threshold.conf?
>

the information in
https://github.com/Cisco-Talos/snort-faq/blob/master/docs/README.filters
deprecates the one in
https://github.com/Cisco-Talos/snort-faq/blob/master/docs/README.thresholding


>
>
>
>> Last night, I put the statement at the bottom of snort.rules, which is
>> where all the pulled pork rules are. IT WORKED :-).
>>
>>
>> I woke up this am, hoping to continue eliminating some of my false
>> positive through this method and my additions were no longer at the bottom
>> of the pulled pork/snort.rules list.
>>
>
> pulledpork is configurable to download and update snort.rules - maybe this
> is what happened?
>
> Absolutely what happened.  My confusion is in the fact that the suppress
> statements in yesterday's snort.rules are still working today even after
> pulled pork downloaded and updated snort.rules.  My suppress statements are
> still working even though they are not in snort.rules due to being
> overwritten by the download today. They had to be written elsewhere?  No
> biggie other than should my suppress statements not be correct, I have no
> idea how to delete them.
>

pulledpork downloaded and installed the new rules, but snort has not been
restarted so it still uses the old suppress definitions.
You can also force snort to re-read the new snort.rules without restarting
with:

kill -hup $(pidof snort)


Marcin

>
> Marcin
>
>
>> The false positives are still being enforced though.
>>
>> I realize I am new and asking some really noob questions. I always try
>> and find the answers on the internet, problem is, I end up with old
>> information.
>>
>> Any assistance greatly appreciated
>>
>> Thanks,
>>
>> Dan
>>
>>
>> "Better is a poor man who walks in his integrity than a rich man who is
>> crooked in his ways." - Proverbs 28:6
>>
>>
>> Sent from my iPad
>>
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.snort.org
>> Go to this URL to change user options or unsubscribe:
>> https://lists.snort.org/mailman/listinfo/snort-users
>>
>> Please visit http://blog.snort.org to stay current on all the latest
>> Snort news!
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20170916/a97f99fa/attachment.html>


More information about the Snort-users mailing list