Re: Modifying Rules Works One Direction, but Not T'Other

[Doug Burks <doug.burks () gmail com>]

Hi colony.three,

Replies inline.

On Sat, Nov 29, 2014 at 2:09 PM, colony.three
<colony.three () protonmail ch> wrote:
> I've found that the current SecurityOnion has some serious problems.  It
> does not even -define-:
> EXTERNAL_NET
> HOME_NET
> HTTP_PORTS
> ... for some reason.

Security Onion does indeed define those variables.  Are you sure
you're looking at the right file?  Are you sure you ran through Setup
properly?  Are you sure you followed our Installation guide?
https://code.google.com/p/security-onion/wiki/Installation

> And these are mandatory for the GPL Emerging Threats
> rules.
>
> I can't report the problems because SO requires G**gle Groups, and I'm not
> signing up for that.

Any particular reason why?  You could always create a Google account
just for Google Groups.

> Further, it's looking like the GPL Emerging Threats rules may not be
> well-written, which are installed by SecurityOnion.
> What is going on with that?

Security Onion allows you to choose Sourcefire VRT or Emerging Threats.


> -------- Original Message --------
> Subject: Re: [Snort-users] Modifying Rules Works One Direction, but Not
> T'Other
> Time (GMT): Nov 29 2014 15:50:42
> From: joel.esler () me com
> To: colony.three () protonmail ch
> CC: snort-users () lists sourceforge net
>
> How about a “pass udp $EXTERNAL_NET any <> 192.168.1.7 any” rule?
>
>
> > On Nov 27, 2014, at 11:00 PM, colony.three wrote:
> >
> >
> > On 11/27/2014 7:22 PM, colony.three wrote:
> > > alert udp $EXTERNAL_NET any <> !192.168.1.7 any (msg:"ET TOR Known Tor
> >
> > i'm not surprised... you've told snort to alert on all udp traffic in
> > either
> > direction that's not for 192.168.1.7... so all traffic from all other
> > machines
> > will raise an alert...
> >
> >
> > Fine. I -want- traffic on all other machines to raise an alert.
> >
> > 192.168.1.7 is the only one running TOR traffic and I want that one to
> > shut up. But it is still alerting on 192.168.1.7 only, as I say. All my
> > other rules are working. And this one worked for one direction but I can't
> > shut up both directions because it dumps out when it finds a rule match.
> >
> > I am stuck on what to do about this. To me, the way I have the rule
> > crafted, I believe should stop alerts both directions for 192.168.1.7. Snort
> > seems to be misbehaving. But then I only started learning Snort 3 days ago.
> >
> >
> >
> >
> >
> > ------------------------------------------------------------------------------
> > Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
> > from Actuate! Instantly Supercharge Your Business Reports and Dashboards
> > with Interactivity, Sharing, Native Excel Exports, App Integration & more
> > Get technology previously reserved for billion-dollar corporations, FREE
> >
> > http://pubads.g.doubleclick.net/gampad/clk?id=157005751&iu=/4140/ostg.clktrk________________________...
> > Snort-users mailing list
> > Snort-users () lists sourceforge net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> >
> > Please visit http://blog.snort.org to stay current on all the latest Snort
> > news!
>
>
>
>
> ------------------------------------------------------------------------------
> Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
> from Actuate! Instantly Supercharge Your Business Reports and Dashboards
> with Interactivity, Sharing, Native Excel Exports, App Integration & more
> Get technology previously reserved for billion-dollar corporations, FREE
> http://pubads.g.doubleclick.net/gampad/clk?id=157005751&iu=/4140/ostg.clktrk
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest Snort
> news!



-- 
Doug Burks
Need Security Onion Training or Commercial Support?
http://securityonionsolutions.com
Last day to register for 3-Day Training Class in Augusta GA is 12/11!

------------------------------------------------------------------------------
Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
from Actuate! Instantly Supercharge Your Business Reports and Dashboards
with Interactivity, Sharing, Native Excel Exports, App Integration & more
Get technology previously reserved for billion-dollar corporations, FREE
http://pubads.g.doubleclick.net/gampad/clk?id=157005751&iu=/4140/ostg.clktrk
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!