Snort mailing list archives
Re: (no subject)
From: Joel Esler <jesler () sourcefire com>
Date: Fri, 4 Mar 2011 10:03:27 -0500
I actually prefer Shawn's method. adding "noalert" means modifying the rule. Which, you are totally allowed to do, nothing holding you back, but then you have to maintain PP to modify that flowbit rule everytime. Plus if VRT changes the flowbit name or something (just saying).. J On Mar 4, 2011, at 1:10 AM, Dave Venman wrote:
Rather than suppress it, why not use flowbits:noalert - that's what is was designed for ? On 4 March 2011 00:49, Jefferson, Shawn <Shawn.Jefferson () bcferries com> wrote: Makes perfect sense, and what I've done to address the issue you raised at the end of your email, is keep the flowbits:set rule enabled, but create a suppress statement for it. PS. And I'm excited to see the new features! -----Original Message----- From: JJC [mailto:cummingsj () gmail com] Sent: Thursday, March 03, 2011 4:44 PM To: Jefferson, Shawn Cc: Jason Wallace; wkitty42 () windstream net; snort-users () lists sourceforge net Subject: Re: [Snort-users] (no subject) To address this, the logic behind PP does just what Jason had said... if you have rules that are looking for flowbits:isset values, it enables the respective, and required, flowbits:set values. Further, if you have specified a flowbits:set rule to be explicitly disabled in the disablesid.conf section and PP needs to automatically re-enable that due to it being a dependency of other rules, it will do so.. and Shawn, to address your concern.. that was a feature request that has been added to the current version that can be found in the svn repo. I anticipate having a release out soon, it contains numerous bug-fixes and feature enhancements.. I'm just waiting on some code commits to complete. Consider this logic re: flowbit auto re-enabling: I have 3 critical rules that look for current 0-day type traffic.. they all contain flowbits:isset,this.foo; and you disabled the rule that contains flowbits:set,this.foo; because it was generating an event like "POLICY this schmuck downloaded tha foo!" and you did not want to see that. By disabling, and subsequently not re-enabling the rule containing flowbits:set,this.foo; you would be silently disabling the other 3 critical rules that relied on that flowbit, make sense? JJC ------------------------------------------------------------------------------ What You Don't Know About Data Connectivity CAN Hurt You This paper provides an overview of data connectivity, details its effect on application quality, and explores various alternative solutions. http://p.sf.net/sfu/progress-d2d _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users -- Dave Venman, CISSP Security Engineer Manager, Sourcefire EMEA Email: dave.venman () sourcefire com Mobile: +44 (7917) 168068 DDI: +44 (118) 989 8412 Fax: +44 (118) 989 8401 ------------------------------------------------------------------------------ What You Don't Know About Data Connectivity CAN Hurt You This paper provides an overview of data connectivity, details its effect on application quality, and explores various alternative solutions. http://p.sf.net/sfu/progress-d2d_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
-- Joel Esler jesler () sourcefire.com http://blog.snort.org && http://blog.clamav.net
------------------------------------------------------------------------------ What You Don't Know About Data Connectivity CAN Hurt You This paper provides an overview of data connectivity, details its effect on application quality, and explores various alternative solutions. http://p.sf.net/sfu/progress-d2d
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- (no subject) sasa susmanto (Mar 01)
- Re: (no subject) Joel Esler (Mar 01)
- Re: (no subject) Alan Ptak (Mar 02)
- Re: (no subject) waldo kitty (Mar 02)
- Re: (no subject) Jason Wallace (Mar 03)
- Re: (no subject) Jefferson, Shawn (Mar 03)
- Re: (no subject) JJC (Mar 03)
- Re: (no subject) Jefferson, Shawn (Mar 03)
- Re: (no subject) Dave Venman (Mar 03)
- Re: (no subject) Joel Esler (Mar 04)
- Re: (no subject) Alan Ptak (Mar 02)
- Re: (no subject) Joel Esler (Mar 01)
- <Possible follow-ups>
- (no subject) sasa susmanto (Mar 02)
- Re: (no subject) Alan Ptak (Mar 02)