[prev in list] [next in list] [prev in thread] [next in thread]
List: snort-users
Subject: Re: [Snort-users] BASE
From: Dan O'Brien via Snort-users <snort-users () lists ! snort ! org>
Date: 2017-09-14 18:35:55
Message-ID: F6F570E7-2FC2-4F23-97E9-1C268DE55F7C () gmail ! com
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
Ok, slowly I am trying to figure this out.
I run Pi-hole on a Raspberry Pi on my network. I believe it is the reason why I am \
getting multiple "protocol dns tmg firewall client long host entry exploit \
attempt-19187" alerts.
The source ip for all the alerts are my internet service providers DNS servers along \
with to ip of my Pi-hole Raspberry Pi. So, I need a simple filter for this rule \
correct?
I figure I need this:
suppress gen_id 1, sig_id 19187 track by_src, ip 24.25.5.60,24.25.5.61
1) Will this work?
2) Where does it go? Snort.conf?
3) Can I list multiple comma separated IPs or a new line for each IP?
Thanks in advance for any assistance.
Thanks,
Dan
(770) 624-1010
pdobrien3@gmail.com
"Better is a poor man who walks in his integrity than a rich man who is crooked in \
his ways." - Proverbs 28:6
Sent from my iPad
> On Sep 10, 2017, at 2:29 PM, Ron Sinclair via Snort-users \
> <snort-users@lists.snort.org> wrote:
> You'd have to tune Snort itself (rules and/or processors), not BASE. BASE will \
> allow you to see/manipulate the alerts, but that's about it.
> Ron Sinclair
> unixfool@gmail.com
>
>
> > On Sat, Sep 9, 2017 at 6:49 PM, Dan O'Brien via Snort-users \
> > <snort-users@lists.snort.org> wrote: All,
> >
> > If I am posting off-topic, please let me know. I have installed snort, barnyard2, \
> > oinkmaster, and BASE. Everything seems to be working very well. I followed one \
> > of the how-toos on the snort site. I am slowly learning and have tried several \
> > IDS without success. The config I have now seems to be stable and I am very happy \
> > with it. I just need to start configuring BASE and I can not find any help on the \
> > web. I need to start learning how to tell BAE what is significant and what is not \
> > and to alert me on important stuff. I would also like to try and get some of the \
> > graph stuff working as it doesn't seem to work.
> > This is the guide I followed.
> >
> > https://s3.amazonaws.com/snort-org-site/production/document_files/files/000/000/12 \
> > 2/original/Snort_2.9.9.x_on_Ubuntu_14-16.pdf?AWSAccessKeyId=AKIAIXACIED2SPMSC7GA&Expires=1505000935&Signature=Z7Tc484O02UTenkqQPax%2BFythyE%3D
> >
> > Thanks,
> > Dan
> > (770) 624-1010
> > pdobrien3@gmail.com
> >
> > "Better is a poor man who walks in his integrity than a rich man who is crooked \
> > in his ways." - Proverbs 28:6
> > Sent from my iPad
> >
> >
> > Thanks,
> > Dan
> > (770) 624-1010
> > pdobrien3@gmail.com
> >
> > "Better is a poor man who walks in his integrity than a rich man who is crooked \
> > in his ways." - Proverbs 28:6
> > Sent from my iPad
> >
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users@lists.snort.org
> > Go to this URL to change user options or unsubscribe:
> > https://lists.snort.org/mailman/listinfo/snort-users
> >
> > Please visit http://blog.snort.org to stay current on all the latest Snort news!
> >
>
> _______________________________________________
> Snort-users mailing list
> Snort-users@lists.snort.org
> Go to this URL to change user options or unsubscribe:
> https://lists.snort.org/mailman/listinfo/snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest Snort news!
[Attachment #5 (text/html)]
<html><head><meta http-equiv="content-type" content="text/html; \
charset=utf-8"></head><body dir="auto"><div>Ok, slowly I am trying to figure this \
out. </div><div><br></div><div>I run Pi-hole on a Raspberry Pi on my network. I \
believe it is the reason why I am getting multiple "protocol dns tmg firewall client \
long host entry exploit attempt-19187" alerts.</div><div><br></div><div>The source ip \
for all the alerts are my internet service providers DNS servers along with to ip of \
my Pi-hole Raspberry Pi. So, I need a simple filter for this rule \
correct?</div><div><br></div><div>I figure I need this:</div><div>
<div class="page" title="Page 153">
<div class="layoutArea">
<div class="column">
<p><span style="font-size: 9.000000pt; font-family: 'NimbusMonL'">suppress \
gen_id 1, sig_id 19187 track by_src, ip 24.25.5.60,24.25.5.61 </span></p> \
</div> </div>
</div><div>1) Will this work? </div><div>2) Where does it go? \
Snort.conf?</div><div>3) Can I list multiple comma separated IPs or a new line for \
each IP?</div><div><br></div><div>Thanks in advance for any \
assistance. </div><br><div><p class="MsoNormal" style="margin: 0in 0in \
0.0001pt;"><span style="background-color: rgba(255, 255, 255, \
0);">Thanks,<o:p></o:p></span></p><p class="MsoNormal" style="margin: 0in 0in \
0.0001pt;"><span style="background-color: rgba(255, 255, 255, \
0);">Dan<o:p></o:p></span></p><p class="MsoNormal" style="margin: 0in 0in \
0.0001pt;"><font color="#000000"><span style="background-color: rgba(255, 255, 255, \
0);"><a href="tel:(770)%20624-1010" dir="ltr" x-apple-data-detectors="true" \
x-apple-data-detectors-type="telephone" x-apple-data-detectors-result="0/0" \
style="-webkit-text-decoration-color: rgba(0, 0, 0, 0.258824);">(770) \
624-1010</a><o:p></o:p></span></font></p><p class="MsoNormal" style="margin: 0in 0in \
0.0001pt;"><font color="#000000"><span style="background-color: rgba(255, 255, 255, \
0);"><a href="mailto:pdobrien3@gmail.com">pdobrien3@gmail.com</a><o:p></o:p></span></font></p><p \
class="MsoNormal" style="margin: 0in 0in 0.0001pt;"><span style="background-color: \
rgba(255, 255, 255, 0);"><br>"Better is a poor man who walks in his integrity than a \
rich man who is crooked in his ways." - Proverbs 28:6</span></p><p class="MsoNormal" \
style="margin: 0in 0in 0.0001pt;"><span style="background-color: rgba(255, 255, 255, \
0);"><br></span></p><p class="MsoNormal" style="margin: 0in 0in 0.0001pt;"><span \
style="background-color: rgba(255, 255, 255, 0);">Sent from my \
iPad</span></p></div></div><div><br>On Sep 10, 2017, at 2:29 PM, Ron Sinclair via \
Snort-users <<a href="mailto:snort-users@lists.snort.org">snort-users@lists.snort.org</a>> \
wrote:<br><br></div><blockquote type="cite"><div><div dir="ltr">You'd have to tune \
Snort itself (rules and/or processors), not BASE. BASE will allow you to \
see/manipulate the alerts, but that's about it.<br></div><div class="gmail_extra"><br \
clear="all"><div><div class="gmail_signature" data-smartmail="gmail_signature"><div \
dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div>Ron Sinclair</div><div><a \
href="mailto:unixfool@gmail.com" \
target="_blank">unixfool@gmail.com</a></div><div><br></div></div></div></div></div></div></div></div>
<br><div class="gmail_quote">On Sat, Sep 9, 2017 at 6:49 PM, Dan O'Brien via \
Snort-users <span dir="ltr"><<a href="mailto:snort-users@lists.snort.org" \
target="_blank">snort-users@lists.snort.org</a>></span> wrote:<br><blockquote \
class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc \
solid;padding-left:1ex"><div dir="auto"><div>All,</div><div><br></div><div>If I am \
posting off-topic, please let me know. I have installed snort, barnyard2, oinkmaster, \
and BASE. Everything seems to be working very well. I followed one of the \
how-toos on the snort site. I am slowly learning and have tried several IDS without \
success. The config I have now seems to be stable and I am very happy with it. I just \
need to start configuring BASE and I can not find any help on the web. I need to \
start learning how to tell BAE what is significant and what is not and to alert me on \
important stuff. I would also like to try and get some of the graph stuff working as \
it doesn't seem to work. </div><div><br></div><div>This is the guide I \
followed. </div><div><br></div><div><a \
href="https://s3.amazonaws.com/snort-org-site/production/document_files/files/000/000/ \
122/original/Snort_2.9.9.x_on_Ubuntu_14-16.pdf?AWSAccessKeyId=AKIAIXACIED2SPMSC7GA&Expires=1505000935&Signature=Z7Tc484O02UTenkqQPax%2BFythyE%3D" \
target="_blank">https://s3.amazonaws.com/<wbr>snort-org-site/production/<wbr>document_ \
files/files/000/000/<wbr>122/original/Snort_2.9.9.x_on_<wbr>Ubuntu_14-16.pdf?<wbr>AWSA \
ccessKeyId=<wbr>AKIAIXACIED2SPMSC7GA&Expires=<wbr>1505000935&Signature=<wbr>Z7Tc484O02UTenkqQPax%2BFythyE%<wbr>3D</a><br><br><p \
class="MsoNormal" style="margin:0in 0in 0.0001pt"><span \
style="background-color:rgba(255,255,255,0)">Thanks,<u></u><u></u></span></p><p \
class="MsoNormal" style="margin:0in 0in 0.0001pt"><span \
style="background-color:rgba(255,255,255,0)">Dan<u></u><u></u></span></p><p \
class="MsoNormal" style="margin:0in 0in 0.0001pt"><font color="#000000"><span \
style="background-color:rgba(255,255,255,0)"><a href="tel:(770)%20624-1010" dir="ltr" \
target="_blank">(770) 624-1010</a><u></u><u></u></span></font></p><p \
class="MsoNormal" style="margin:0in 0in 0.0001pt"><font color="#000000"><span \
style="background-color:rgba(255,255,255,0)"><a href="mailto:pdobrien3@gmail.com" \
target="_blank">pdobrien3@gmail.com</a><u></u><u></u></span></font></p><p \
class="MsoNormal" style="margin:0in 0in 0.0001pt"><span \
style="background-color:rgba(255,255,255,0)"><br>"Better is a poor man who walks in \
his integrity than a rich man who is crooked in his ways." - Proverbs \
28:6</span></p><p class="MsoNormal" style="margin:0in 0in 0.0001pt"><span \
style="background-color:rgba(255,255,255,0)"><br></span></p><p class="MsoNormal" \
style="margin:0in 0in 0.0001pt"><span \
style="background-color:rgba(255,255,255,0)">Sent from my \
iPad</span></p></div><div><br><br><p class="MsoNormal" style="margin:0in 0in \
0.0001pt"><span style="background-color:rgba(255,255,255,0)">Thanks,<u></u><u></u></span></p><p \
class="MsoNormal" style="margin:0in 0in 0.0001pt"><span \
style="background-color:rgba(255,255,255,0)">Dan<u></u><u></u></span></p><p \
class="MsoNormal" style="margin:0in 0in 0.0001pt"><font color="#000000"><span \
style="background-color:rgba(255,255,255,0)"><a href="tel:(770)%20624-1010" dir="ltr" \
target="_blank">(770) 624-1010</a><u></u><u></u></span></font></p><p \
class="MsoNormal" style="margin:0in 0in 0.0001pt"><font color="#000000"><span \
style="background-color:rgba(255,255,255,0)"><a href="mailto:pdobrien3@gmail.com" \
target="_blank">pdobrien3@gmail.com</a><u></u><u></u></span></font></p><p \
class="MsoNormal" style="margin:0in 0in 0.0001pt"><span \
style="background-color:rgba(255,255,255,0)"><br>"Better is a poor man who walks in \
his integrity than a rich man who is crooked in his ways." - Proverbs \
28:6</span></p><p class="MsoNormal" style="margin:0in 0in 0.0001pt"><span \
style="background-color:rgba(255,255,255,0)"><br></span></p><p class="MsoNormal" \
style="margin:0in 0in 0.0001pt"><span \
style="background-color:rgba(255,255,255,0)">Sent from my \
iPad</span></p></div></div><br>______________________________<wbr>_________________<br>
Snort-users mailing list<br>
<a href="mailto:Snort-users@lists.snort.org">Snort-users@lists.snort.org</a><br>
Go to this URL to change user options or unsubscribe:<br>
<a href="https://lists.snort.org/mailman/listinfo/snort-users" rel="noreferrer" \
target="_blank">https://lists.snort.org/<wbr>mailman/listinfo/snort-users</a><br> \
<br> Please visit <a href="http://blog.snort.org" rel="noreferrer" \
target="_blank">http://blog.snort.org</a> to stay current on all the latest Snort \
news!<br> <br></blockquote></div><br></div>
</div></blockquote><blockquote \
type="cite"><div><span>_______________________________________________</span><br><span>Snort-users \
mailing list</span><br><span><a \
href="mailto:Snort-users@lists.snort.org">Snort-users@lists.snort.org</a></span><br><span>Go \
to this URL to change user options or unsubscribe:</span><br><span><a \
href="https://lists.snort.org/mailman/listinfo/snort-users">https://lists.snort.org/mailman/listinfo/snort-users</a></span><br><span></span><br><span>Please \
visit <a href="http://blog.snort.org">http://blog.snort.org</a> to stay current on \
all the latest Snort news!</span><br></div></blockquote></body></html>
_______________________________________________
Snort-users mailing list
Snort-users@lists.snort.org
Go to this URL to change user options or unsubscribe:
https://lists.snort.org/mailman/listinfo/snort-users
Please visit http://blog.snort.org to stay current on all the latest Snort news!
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic