Snort mailing list archives
Re: Using pulled pork to change rule state from alert to drop for a policy type
From: waldo kitty <wkitty42 () windstream net>
Date: Mon, 25 Mar 2013 11:19:10 -0500
On 3/24/2013 12:41, Tony Robinson wrote:
5. Modify your snort rules to drop traffic in inline mode. My question revolves around 5. I'm well aware that pulled pork, via dropsid.conf, can be used to change alert rules to drop rules. I'm worried about haphazardly changing all the rules in my snort.rules file to DROP ALL THE THINGS.
there's two (2) camps to this particular question... 1. are you running the novell netmail server (mentioned in next quoted paragraph) on your network? is it patched up to date and is fixed for this specific flaw? if the answer is "yes", then you don't need to run this rule, do you? for one thing, not loading this rule will lower snort's memory footprint as well as increasing snort's processing speed since it doesn't have to process the rule. so run only those rules that pertain to your network and the equipment and servers allowed to run on it... 2. i'm kinda in the other camp... if someone is sending bad data to my system, i want to know about it... don't shake (test) the door knob on my front door to see if it is opened for you to just walk in... if you try to connect to mssql on my network from outside my network, i want to know about it... a) there's no reason for someone outside my network to try to connect to any sql servers there may be on my network, b) sql servers should not face the world wild whirl and c) how would you know there was a server there unless you've been probing and hunting for holes in which case, you are definitely up to no good and will be blocked...
What I would like to do: If I see a rule with policy metadata that recommends the rule be set to drop, I want to change that rule from alert to drop. Let's pick on sid 1:10011 -- SERVER-MAIL Novell NetMail APPEND command buffer overflow attempt, just to illustrate what I'm trying to do.
see above camp 1 unless you are in camp 2 ;)
It has the line "metadata:policy security-ips drop" indicating that: "If the user is using a security over connectivity ruleset, this would make a good drop rule in that rule policy configuration."
ok...
If I am using a given rule policy configuration in pulled pork (balanced, connectivity or security), and I see a rule with metadata that indicates a given rule would make a good drop rule for that policy ruleset (metadata: policy balanced-ips || policy connectivity-ips || policy security-ips) , I want to use pulledpork to change it to a drop rule. Is there an effective way to do this? If there is not, I think this would make for an awesome feature request in PP.
i'll let others speak on this since i don't (yet) use pulledpork... i don't yet know how i would do it in my package but i have a rough idea... if PP doesn't have it, i agree that it would be a nice feature... ------------------------------------------------------------------------------ Everyone hates slow websites. So do we. Make your web apps faster with AppDynamics Download AppDynamics Lite for free today: http://p.sf.net/sfu/appdyn_d2d_mar _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Using pulled pork to change rule state from alert to drop for a policy type Tony Robinson (Mar 24)
- Re: Using pulled pork to change rule state from alert to drop for a policy type Joel Esler (Mar 24)
- Re: Using pulled pork to change rule state from alert to drop for a policy type Yossi Nachum (Mar 25)
- Re: Using pulled pork to change rule state from alert to drop for a policy type waldo kitty (Mar 25)
- Re: Using pulled pork to change rule state from alert to drop for a policy type Tony Robinson (Mar 27)