[Honeywall] Snort rules

Jefferson, Shawn Shawn.Jefferson at bcferries.com
Sat Jul 26 13:15:21 EDT 2008


Hi,
 
Unfortunately, I've tried this (actually greping for "|12 01|" which finds nothing, and for "|00 01|" which finds a lot... too many for me to go through individually.)
 
What I did do though, was comment out ALL the snort rulesets from the snortinline_conf file.  TFTP worked!  I then tested each one.  The offending ruleset is the tftp.rules, which is strange because I commented out the TFTP Get rule in /etc/snort_inline/rules/tftp.rules, and I don't see any other rules that should be interfering with a TFTP get of a random file (not nc.exe, or admin.dll, etc...)
 
So I am wondering... is this the right place to edit snort_inline rules?  /etc/snort_inline/rules ?
 
Also, is there a log that gets written when snort_inline fires on a rule ?
 
For now, I'm going to leave it commented out, although some of those rules I would like to keep (like the put rules.)
 
Thanks for your help everyone!
Shawn

________________________________

From: honeywall-bounces at public.honeynet.org on behalf of Earl
Sent: Fri 7/25/2008 8:48 AM
To: honeywall at public.honeynet.org; rvmcmil at gmail.com
Subject: Re: [Honeywall] Snort rules



grep '0x1201' /etc/snort_inline/rules/*.rules

Earl

On Fri, 25 Jul 2008 07:09:25 -0400 Rob McMillen <rvmcmil at gmail.com>
wrote:
>The only thing that modifies packets, and this is only outbound,
>is
>snort_inline.  Could there be another rule targeting tftp in
>another
>file?  When you said you restarted the honeywall, did you mean a
>reboot?  Or did you use the UI to restart the honeywall services?
>
>Rob
>
>On Wed, Jul 23, 2008 at 4:27 PM, Jefferson, Shawn
><Shawn.Jefferson at bcferries.com> wrote:
>> Hmm, that's exactly what I did, I commented out the TFTP Get
>rule in
>> tftp.rules and restarted the Honeywall.  Maybe the problem isn't
>coming
>> from snort_inline then, but somewhere else.  I don't mind the
>lack of a
>> GUI interface to snort rules... I just wanted to make sure I was
>editing
>> the right files.
>>
>> I notice that Walleye is still picking up on the TFTP Get, but I
>think
>> this is due to the regular snort IDS.
>>
>> Can you anyone think of any other reason the TFTP opcode would
>being
>> sent as 0x1201 instead of 0x0001 from behind my Honeywall ?
>_______________________________________________
>Honeywall mailing list
>Honeywall at public.honeynet.org
>https://public.honeynet.org/mailman/listinfo/honeywall

_______________________________________________
Honeywall mailing list
Honeywall at public.honeynet.org
https://public.honeynet.org/mailman/listinfo/honeywall


-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://public.honeynet.org/pipermail/honeywall/attachments/20080726/99467197/attachment.html


More information about the Honeywall mailing list