[Honeywall] Snort rules

Jefferson, Shawn Shawn.Jefferson at bcferries.com
Wed Jul 23 16:27:57 EDT 2008


Hmm, that's exactly what I did, I commented out the TFTP Get rule in
tftp.rules and restarted the Honeywall.  Maybe the problem isn't coming
from snort_inline then, but somewhere else.  I don't mind the lack of a
GUI interface to snort rules... I just wanted to make sure I was editing
the right files.

I notice that Walleye is still picking up on the TFTP Get, but I think
this is due to the regular snort IDS.

Can you anyone think of any other reason the TFTP opcode would being
sent as 0x1201 instead of 0x0001 from behind my Honeywall ?


-----Original Message-----
From: honeywall-bounces at public.honeynet.org
[mailto:honeywall-bounces at public.honeynet.org] On Behalf Of Earl
Sent: July 23, 2008 1:05 PM
To: honeywall at public.honeynet.org
Subject: Re: [Honeywall] Snort rules

We gave up on creating "yet another snortrule interface" a while 
back to dedicate devel resources in what we considered at the time 
to be more important areas.  For clarity, this is not a "jab" just 
a general explanation of what happened...

either remove tftp.rules from /etc/snort_inline/snort_inline.conf 
entirely
or
poke around in /etc/snort_inline/rules/tftp.rules 
until you find the "offending" rule and comment it by prepending 
the line with a "#" (alal bash comment)

Need to restart snort-inline after.  I suggest 
'/etc/init.d/hwdaemons restart' or a reboot.

Earl

On Wed, 23 Jul 2008 14:23:29 -0400 "Jefferson, Shawn" 
<Shawn.Jefferson at bcferries.com> wrote:
>Hi,
>
>I'm having some trouble allowing TFTP GET transfers from my 
>Honeypots.
>Doing a packet capture on my TFTP server, I notice that the TFTP 
>opcode
>is being sent as 0x1201 from the Honeypot when it sends the 
>request
>through the Honeywall.  If I move the Honeypot so that it isn't 
>behind
>the Honeywall, TFTP works fine and the opcode is 0x0001 like you 
>would
>assume.  I'm assuming this is snort-inline that is changing the 
>packet,
>but I just can't see how to stop it from doing this.  I've looked 
>at the
>rules in etc and made changes there, but I'm still having this 
>problem.
>
>What's the method to change the snort_inline rules on Honeywall 
>roo 1.4
>?  Anyone else have this problem?

_______________________________________________
Honeywall mailing list
Honeywall at public.honeynet.org
https://public.honeynet.org/mailman/listinfo/honeywall


More information about the Honeywall mailing list