[Honeywall] Snort rules

Earl esammons at hush.com
Fri Jul 25 10:48:23 EDT 2008


grep '0x1201' /etc/snort_inline/rules/*.rules

Earl

On Fri, 25 Jul 2008 07:09:25 -0400 Rob McMillen <rvmcmil at gmail.com> 
wrote:
>The only thing that modifies packets, and this is only outbound, 
>is
>snort_inline.  Could there be another rule targeting tftp in 
>another
>file?  When you said you restarted the honeywall, did you mean a
>reboot?  Or did you use the UI to restart the honeywall services?
>
>Rob
>
>On Wed, Jul 23, 2008 at 4:27 PM, Jefferson, Shawn
><Shawn.Jefferson at bcferries.com> wrote:
>> Hmm, that's exactly what I did, I commented out the TFTP Get 
>rule in
>> tftp.rules and restarted the Honeywall.  Maybe the problem isn't 
>coming
>> from snort_inline then, but somewhere else.  I don't mind the 
>lack of a
>> GUI interface to snort rules... I just wanted to make sure I was 
>editing
>> the right files.
>>
>> I notice that Walleye is still picking up on the TFTP Get, but I 
>think
>> this is due to the regular snort IDS.
>>
>> Can you anyone think of any other reason the TFTP opcode would 
>being
>> sent as 0x1201 instead of 0x0001 from behind my Honeywall ?
>_______________________________________________
>Honeywall mailing list
>Honeywall at public.honeynet.org
>https://public.honeynet.org/mailman/listinfo/honeywall



More information about the Honeywall mailing list