Snort mailing list archives
Re: Snort / Rules / Pulled Pork
From: Marcin Dulak via Snort-users <snort-users () lists snort org>
Date: Sat, 16 Sep 2017 16:27:27 +0200
On Sat, Sep 16, 2017 at 3:20 PM, Dan O'Brien via Snort-users < snort-users () lists snort org> wrote:
Ok, slowly I am trying to figure this out. I run Pi-hole on a Raspberry Pi on my network. I believe it is the reason why I am getting multiple "protocol dns tmg firewall client long host entry exploit attempt-19187" alerts. The source ip for all the alerts are my internet service providers DNS servers along with to ip of my Pi-hole Raspberry Pi. So, I need a simple filter for this rule correct? I figure I need this: suppress gen_id 3, sig_id 19187 track by_src, ip 24.25.5.60,24.25.5.61 readable examples are given at
https://www.snort.org/faq/readme-filters https://github.com/Cisco-Talos/snort-faq/blob/master/docs/README.filters
I ended up trying it in several different locations including snort.conf and local.rules without any affect. snort.conf contains the line
include threshold.conf where you can write those suppress filters.
Last night, I put the statement at the bottom of snort.rules, which is where all the pulled pork rules are. IT WORKED :-). I woke up this am, hoping to continue eliminating some of my false positive through this method and my additions were no longer at the bottom of the pulled pork/snort.rules list.
pulledpork is configurable to download and update snort.rules - maybe this is what happened? Marcin
The false positives are still being enforced though. I realize I am new and asking some really noob questions. I always try and find the answers on the internet, problem is, I end up with old information. Any assistance greatly appreciated Thanks, Dan "Better is a poor man who walks in his integrity than a rich man who is crooked in his ways." - Proverbs 28:6 Sent from my iPad _______________________________________________ Snort-users mailing list Snort-users () lists snort org Go to this URL to change user options or unsubscribe: https://lists.snort.org/mailman/listinfo/snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
_______________________________________________ Snort-users mailing list Snort-users () lists snort org Go to this URL to change user options or unsubscribe: https://lists.snort.org/mailman/listinfo/snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Snort / Rules / Pulled Pork Dan O'Brien via Snort-users (Sep 16)
- Re: Snort / Rules / Pulled Pork Marcin Dulak via Snort-users (Sep 16)
- Re: Snort / Rules / Pulled Pork Dan O'Brien via Snort-users (Sep 16)
- Re: Snort / Rules / Pulled Pork Marcin Dulak via Snort-users (Sep 16)
- Re: Snort / Rules / Pulled Pork Dan O'Brien via Snort-users (Sep 16)
- Re: Snort / Rules / Pulled Pork Marcin Dulak via Snort-users (Sep 16)
- Re: Snort / Rules / Pulled Pork Dan O'Brien via Snort-users (Sep 16)
- Re: Snort / Rules / Pulled Pork Dan O'Brien via Snort-users (Sep 16)
- Re: Snort / Rules / Pulled Pork Marcin Dulak via Snort-users (Sep 16)