Snort mailing list archives
Re: Using pulled pork to change rule state from alert to drop for a policy type
From: JJC <cummingsj () gmail com>
Date: Mon, 25 Mar 2013 09:02:49 -0600
In the current RELEASE of PP, the method that Yossi has noted is the accepted method to do this, you will want to set your base policy to security and then add the noted regex to the dropsid.conf.. this will turn on all security rules and set those that have the drop in the associated metadata to drop. JJC On Sun, Mar 24, 2013 at 2:24 PM, Yossi Nachum <nachum234 () gmail com> wrote:
I am using regex to do that. something like: pcre:security-ips\s*drop Yossi Nachum On Sun, Mar 24, 2013 at 7:41 PM, Tony Robinson <deusexmachina667 () gmail com> wrote:Hello Folks, I'm doing some experimentation with snort. I'm trying to document effective ways to transition a passive snort installation into an inline mode installation. Near as far as I can tell, there are a few key things you need to do with a modern snort installation to transition it to inline mode: 1. Configure DAQ for inline mode operation (e.g. afpacket and the interfaces you want to bridge 2. Ensure the interfaces are configured to be up at boot and ready to forward traffic. 3.Test to ensure the interfaces are forwarding traffic as expected. 4. Modify your snort command line to add the -Q option, and your snort.conf with config policy_mode:inline 5. Modify your snort rules to drop traffic in inline mode. My question revolves around 5. I'm well aware that pulled pork, via dropsid.conf, can be used to change alert rules to drop rules. I'm worried about haphazardly changing all the rules in my snort.rules file to DROP ALL THE THINGS. What I would like to do: If I see a rule with policy metadata that recommends the rule be set to drop, I want to change that rule from alert to drop. Let's pick on sid 1:10011 -- SERVER-MAIL Novell NetMail APPEND command buffer overflow attempt, just to illustrate what I'm trying to do. It has the line "metadata:policy security-ips drop" indicating that: "If the user is using a security over connectivity ruleset, this would make a good drop rule in that rule policy configuration." If I am using a given rule policy configuration in pulled pork (balanced, connectivity or security), and I see a rule with metadata that indicates a given rule would make a good drop rule for that policy ruleset (metadata: policy balanced-ips || policy connectivity-ips || policy security-ips) , I want to use pulledpork to change it to a drop rule. Is there an effective way to do this? If there is not, I think this would make for an awesome feature request in PP. -- when does reality end? when does fantasy begin? ------------------------------------------------------------------------------ Everyone hates slow websites. So do we. Make your web apps faster with AppDynamics Download AppDynamics Lite for free today: http://p.sf.net/sfu/appdyn_d2d_mar _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!------------------------------------------------------------------------------ Everyone hates slow websites. So do we. Make your web apps faster with AppDynamics Download AppDynamics Lite for free today: http://p.sf.net/sfu/appdyn_d2d_mar _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------ Everyone hates slow websites. So do we. Make your web apps faster with AppDynamics Download AppDynamics Lite for free today: http://p.sf.net/sfu/appdyn_d2d_mar _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Using pulled pork to change rule state from alert to drop for a policy type Tony Robinson (Mar 24)
- Re: Using pulled pork to change rule state from alert to drop for a policy type Joel Esler (Mar 24)
- Re: Using pulled pork to change rule state from alert to drop for a policy type Yossi Nachum (Mar 25)
- Re: Using pulled pork to change rule state from alert to drop for a policy type JJC (Mar 25)
- Re: Using pulled pork to change rule state from alert to drop for a policy type waldo kitty (Mar 25)
- Re: Using pulled pork to change rule state from alert to drop for a policy type Tony Robinson (Mar 27)