Snort mailing list archives

Re: (no subject)

From: Joel Esler <jesler () sourcefire com>
Date: Fri, 4 Mar 2011 10:03:27 -0500

I actually prefer Shawn's method.  

adding "noalert" means modifying the rule.  Which, you are totally allowed to do, nothing holding you back, but then 
you have to maintain PP to modify that flowbit rule everytime.  Plus if VRT changes the flowbit name or something (just 
saying)..

J

On Mar 4, 2011, at 1:10 AM, Dave Venman wrote:

Rather than suppress it, why not use flowbits:noalert - that's what is was designed for ?

On 4 March 2011 00:49, Jefferson, Shawn <Shawn.Jefferson () bcferries com> wrote:
Makes perfect sense, and what I've done to address the issue you raised at the end of your email, is keep the 
flowbits:set rule enabled, but create a suppress statement for it.

PS. And I'm excited to see the new features!

-----Original Message-----
From: JJC [mailto:cummingsj () gmail com]
Sent: Thursday, March 03, 2011 4:44 PM
To: Jefferson, Shawn
Cc: Jason Wallace; wkitty42 () windstream net; snort-users () lists sourceforge net
Subject: Re: [Snort-users] (no subject)

To address this, the logic behind PP does just what Jason had said...
if you have rules that are looking for flowbits:isset values, it enables the respective, and required, flowbits:set 
values.

Further, if you have specified a flowbits:set rule to be explicitly disabled in the disablesid.conf section and PP 
needs to automatically re-enable that due to it being a dependency of other rules, it will do so.. and Shawn, to 
address your concern.. that was a feature request that has been added to the current version that can be found in the 
svn repo.  I anticipate having a release out soon, it contains numerous bug-fixes and feature enhancements.. I'm just 
waiting on some code commits to complete.

Consider this logic re: flowbit auto re-enabling:

I have 3 critical rules that look for current 0-day type traffic..
they all contain flowbits:isset,this.foo; and you disabled the rule that contains flowbits:set,this.foo; because it 
was generating an event like "POLICY this schmuck downloaded tha foo!" and you did not want to see that.  By 
disabling, and subsequently not re-enabling the rule containing flowbits:set,this.foo; you would be silently 
disabling the other 3 critical rules that relied on that flowbit, make sense?

JJC


------------------------------------------------------------------------------
What You Don't Know About Data Connectivity CAN Hurt You
This paper provides an overview of data connectivity, details
its effect on application quality, and explores various alternative
solutions. http://p.sf.net/sfu/progress-d2d
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users



-- 
Dave Venman, CISSP
Security Engineer Manager, Sourcefire EMEA
Email:   dave.venman () sourcefire com
Mobile: +44 (7917) 168068
DDI:     +44 (118) 989 8412
Fax:     +44 (118) 989 8401




------------------------------------------------------------------------------
What You Don't Know About Data Connectivity CAN Hurt You
This paper provides an overview of data connectivity, details
its effect on application quality, and explores various alternative
solutions. http://p.sf.net/sfu/progress-d2d_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


--
Joel Esler
jesler () sourcefire.com
http://blog.snort.org && http://blog.clamav.net

------------------------------------------------------------------------------
What You Don't Know About Data Connectivity CAN Hurt You
This paper provides an overview of data connectivity, details
its effect on application quality, and explores various alternative
solutions. http://p.sf.net/sfu/progress-d2d

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

(no subject) sasa susmanto (Mar 01)
- Re: (no subject) Joel Esler (Mar 01)
  - Re: (no subject) Alan Ptak (Mar 02)
    - Re: (no subject) waldo kitty (Mar 02)
    - Re: (no subject) Jason Wallace (Mar 03)
    - Re: (no subject) Jefferson, Shawn (Mar 03)
    - Re: (no subject) JJC (Mar 03)
    - Re: (no subject) Jefferson, Shawn (Mar 03)
    - Re: (no subject) Dave Venman (Mar 03)
    - Re: (no subject) Joel Esler (Mar 04)
- Re: (no subject) JJC (Mar 01)
- <Possible follow-ups>
- (no subject) sasa susmanto (Mar 02)
  - Re: (no subject) Alan Ptak (Mar 02)