Snort mailing list archives
Re: ftp rules
From: "Al Lewis (allewi)" <allewi () cisco com>
Date: Fri, 23 Oct 2015 14:28:20 +0000
Take a look at the README.active file. I think you are missing the “resp:<resp_t>;” in your rule. Albert Lewis QA Software Engineer SOURCEfire, Inc. now part of Cisco 9780 Patuxent Woods Drive Columbia, MD 21046 Phone: (office) 443.430.7112 Email: allewi () cisco com From: santhoj san [mailto:santhojirulappan () gmail com] Sent: Friday, October 23, 2015 9:32 AM To: Adonis Okpidi Cc: snort-sigs () lists sourceforge net Subject: Re: [Snort-sigs] ftp rules I am ruling snort in IPS mode only. Now changed the rule using reject instead of drop with different revision number for rules. l I'm getting Drop alert in console but not the packets are dropped. I am able to access the application. Rules: reject tcp any any -> any any (msg:"No skype 80"; appid:skype; sid:10000004; rev:003;) reject tcp any any -> any any (msg:"No youtube"; appid:youtube; sid:10000006; rev:004;) reject tcp any any -> any any (msg:"No Google"; appid:google; sid:10000007; rev:005;) Changes in snort.conf config policy_mode:inline config daq: afpacket config daq_dir: /usr/local/lib/daq config daq_mode: inline config daq_var: buffer_size_mb=512 command line: sudo /usr/local/bin/snort -d -A console -u snort -g snort -c /etc/snort/snort.conf -i eth0:wlan0 -Q Console Log: Enabling inline operation Running in IDS mode --== Initializing Snort ==-- Initializing Output Plugins! Initializing Preprocessors! Initializing Plug-ins! Parsing Rules file "/etc/snort/snort.conf" ... Thanks & Regards Santhoj Irulappan On Fri, Oct 23, 2015 at 6:37 PM, Adonis Okpidi <adonisokpidi () gmail com<mailto:adonisokpidi () gmail com>> wrote: http://stackoverflow.com/questions/22126452/snort-ips-rule-reject-work-but-drop-and-sdrop-dont-work Have a read through the answer as I'm sure it will help you with why it doesn't drop the packet because snort has to be ran in inline mode which make it act as an IPS. Because by default snort runs passively which makes it unable to drop the packets so change the settings in the snort.conf file. Let me know how you get on. And also you can use 'rev:1;' and 'rev:2;' http://manual.snort.org/node31.html Best Regards, Adonis Okpidi On 23 Oct 2015, at 05:35, santhoj san <santhojirulappan () gmail com<mailto:santhojirulappan () gmail com>> wrote: Ya I tried with drop. Still it is not dropping the packets. I used the below rule drop tcp any any -> any any (msg:"No chrome"; appid:chrome; sid:10000004; rev:001;) drop tcp any any -> any any (msg:"No skype"; appid:skype; sid:10000005; rev:001;) Still I am able to access chrome, skype. Thanks & Regards Santhoj Irulappan On Fri, Oct 23, 2015 at 12:50 AM, Adonis Okpidi <adonisokpidi () gmail com<mailto:adonisokpidi () gmail com>> wrote: You can use 'drop' instead of 'alert' Best Regards, Adonis Okpidi On 22 Oct 2015, at 18:28, santhoj san <santhojirulappan () gmail com<mailto:santhojirulappan () gmail com>> wrote: Hi, Can anyone help me in how to make a rule to drop the packets. Thanks & Regards Santhoj Irulappan On Thu, Oct 22, 2015 at 9:12 PM, Adam Ring <adam.ring () aocsolutions com<mailto:adam.ring () aocsolutions com>> wrote: Yea I just found out about the protocol-ftp rules. Thanks. From: Joel Esler (jesler) [mailto:jesler () cisco com<mailto:jesler () cisco com>] Sent: Thursday, October 22, 2015 11:42 AM To: Adam Ring Cc: snort-sigs () lists sourceforge net<mailto:snort-sigs () lists sourceforge net> Subject: Re: [Snort-sigs] ftp rules Take a look at protocol-ftp.rules -- Joel Esler Manager, Talos Group On Oct 22, 2015, at 8:55 AM, Adam Ring <adam.ring () AocSolutions com<mailto:adam.ring () aocsolutions com>> wrote: Hi I am new to snort and was trying to create an ftp rule. I have downloaded the rules from the website, but in the ftp file there aren’t any rules in there. I was wondering if that was supposed to be empty and if it is, is there a place where I can go to find some examples of ftp rules? Adam Ring IT Help Desk Techniction Office 703.677.9540 AOC Solutions<http://www.aocsolutions.com/> | Solutions That Pay® Blog<http://www.aocsolutions.com/blog> | Video<http://www.aocsolutions.com/ap-payment-automation-video> | LinkedIn<https://www.linkedin.com/company/139025?trk=tyah&trkInfo=clickedVertical%3Acompany%2Cidx%3A1-1-1%2CtarId%3A1436380782168%2Ctas%3Aaoc%20solutions> <image001.png><http://www.aocsolutions.com/about-aoc/aoc-in-the-news/aoc-named-top-workplace-by-washington-post> This e-mail and any attachments may contain confidential and privileged information. If you are not the intended recipient, please notify the sender immediately by return e-mail, delete this e-mail and attachments (if applicable) and destroy any copies. Any dissemination or use of this information by a person other than the intended recipient is unauthorized and strictly prohibited. You may be subject to confidentiality restrictions in an existing contract with AOC Solutions, Inc. As a result, you must protect the contents of this communication according to such terms and conditions. ------------------------------------------------------------------------------ _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net<mailto:Snort-sigs () lists sourceforge net> https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org<http://www.snort.org/> Please visit http://blog.snort.org<http://blog.snort.org/> for the latest news about Snort! This e-mail and any attachments may contain confidential and privileged information. If you are not the intended recipient, please notify the sender immediately by return e-mail, delete this e-mail and attachments (if applicable) and destroy any copies. Any dissemination or use of this information by a person other than the intended recipient is unauthorized and strictly prohibited. You may be subject to confidentiality restrictions in an existing contract with AOC Solutions, Inc. As a result, you must protect the contents of this communication according to such terms and conditions. ------------------------------------------------------------------------------ _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net<mailto:Snort-sigs () lists sourceforge net> https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort! ------------------------------------------------------------------------------ _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net<mailto:Snort-sigs () lists sourceforge net> https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
------------------------------------------------------------------------------
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- ftp rules Adam Ring (Oct 22)
- Re: ftp rules Al Lewis (allewi) (Oct 22)
- Re: ftp rules Joel Esler (jesler) (Oct 22)
- Re: ftp rules Adam Ring (Oct 22)
- Re: ftp rules santhoj san (Oct 22)
- Re: ftp rules Adonis Okpidi (Oct 22)
- Re: ftp rules santhoj san (Oct 22)
- Re: ftp rules Adonis Okpidi (Oct 23)
- Re: ftp rules santhoj san (Oct 23)
- Re: ftp rules Al Lewis (allewi) (Oct 23)
- Re: ftp rules santhoj san (Oct 26)
- Re: ftp rules Al Lewis (allewi) (Oct 26)
- Re: ftp rules santhoj san (Oct 26)
- Re: ftp rules Adam Ring (Oct 22)