Snort mailing list archives
Re: Snort running inline but not functioning as IPS
From: mlists () robin-kipp net
Date: Fri, 22 Jan 2016 13:02:17 +0100
Hi James, thanks for that! I used pulledpork's dropsid.conf file and specified rule SID 136:1, which is the reputation-based rule for IP blacklisting. After running pulledpork to reprocess those rules and reloading snort, it really looks like Snort is now dropping traffic with those IPs as source or destination! So, many thanks for putting me on the right track here, now I just have to figure out how to switch rules to 'drop' state on a wider range, e.g. without explicitly specifying single SIDs or SID ranges. Best regards, Robin Am 2016-01-22 00:26, schrieb James Lay:
On 2016-01-21 16:19, Robin Kipp wrote:Hi James,Am 21.01.2016 um 22:59 schrieb James Lay <jlay () slave-tothe-box net>:Do you have any rules that say "drop" instead of "alert"?Well, I'm honestly not sure! I haven't really done anything with the rules yet, as I wanted to get basic functionality working and then start to get more into the details... I'm using pulledpork to update my rules, using the registered ruleset provided by Talos and the free one provided by EmergingThreatsPro. All my rules are stored in one file, snort.rules. After briefly looking at that file, I just took a shot in the dark by running: grep "drop tcp" /var/snort/rules/snort.rules which gave me no output whatsoever. On the other hand, the command grep „alert tcp" /var/snort/rules/snort.rules returned loads of results, I eventually aborted the command. So, I guess that means I currently don't have any drop rules active, at least as far as I can tell. So, what would be the best way for me to change that? Is there any way to automatically enforce some rules based on severity or any other criteria, or what's the preferred way? I suppose if I manually changed some rules in the snort.rules file, then pulledpork would probably overwrite those changes with the next upgrade. Would that be true? Thanks a lot for any further help! Best regards, RobinAh...well there you have it then. Change a rule or two from alert to drop and then restart and test. James
------------------------------------------------------------------------------ Site24x7 APM Insight: Get Deep Visibility into Application Performance APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month Monitor end-to-end web transactions and take corrective actions now Troubleshoot faster and improve end-user experience. Signup Now! http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Snort running inline but not functioning as IPS Robin Kipp (Jan 21)
- Re: Snort running inline but not functioning as IPS James Lay (Jan 21)
- Re: Snort running inline but not functioning as IPS Robin Kipp (Jan 21)
- Re: Snort running inline but not functioning as IPS James Lay (Jan 21)
- Re: Snort running inline but not functioning as IPS mlists (Jan 22)
- Re: Snort running inline but not functioning as IPS Joel Esler (jesler) (Jan 22)
- Re: Snort running inline but not functioning as IPS Robin Kipp (Jan 22)
- Re: Snort running inline but not functioning as IPS Joel Esler (jesler) (Jan 22)
- Re: Snort running inline but not functioning as IPS Robin Kipp (Jan 23)
- Re: Snort running inline but not functioning as IPS Joel Esler (jesler) (Jan 23)
- Re: Snort running inline but not functioning as IPS Robin Kipp (Jan 24)
- Re: Snort running inline but not functioning as IPS Y M (Jan 24)
- Re: Snort running inline but not functioning as IPS Robin Kipp (Jan 24)
- Re: Snort running inline but not functioning as IPS Y M (Jan 24)
- Re: Snort running inline but not functioning as IPS Robin Kipp (Jan 26)
- Re: Snort running inline but not functioning as IPS Robin Kipp (Jan 21)
- Re: Snort running inline but not functioning as IPS James Lay (Jan 21)