| Main Archive Page > Month Archives > snort-users archives |
Re: [Snort-users] FYI: Empty IP used either as source IP or as destination IP in a rule. IP list: [].
From: Matt Jonkman <jonkman_at_nospam>Date: Tue Apr 28 2009 - 19:07:03 GMT
To: Jason Brvenik <jasonb@sourcefire.com>
Well put Jason. In a lower traffic environment snort does IP matching
well enough.
And even in a lot of medium speed installs using tools like snortsam it's useful to match on bad IP lists. We know about tens of thousands of bad IPs a highly secure site might want to block, but updating that into an entire perimeter of firewalls every day isn't that feasible.
If we can just have snort match on the really bad ones and use snortsam to add the rule live when we see a bad IP we save a lot of overhead in firewall administration. Then we only have rules in for the ones we're really seeing, and snortsam handles the admin overhead.
Works for me :)
Matt
Jason Brvenik wrote:
> I say use the tools you have to do the job you need when it needs to
> be done, just don't complain that the screws don't hold as well when
> you hammer them in.
>
> On Tue, Apr 28, 2009 at 1:21 PM, Joel Esler <jesler@sourcefire.com> wrote:
>> Nice. Then I'd rather see these rules used there instead of in Snort.
>> Snort is not a firewall.
>> J
>>
>> On Tue, Apr 28, 2009 at 10:16 AM, Shirk Dog <shirkdog_list@hotmail.com>
>> wrote:
>>> Get with it finchy.
>>>
>>> http://www.emergingthreats.net/fwrules/
>>>
>>> Shirkdog
>>> ' or 1=1--
>>> http://www.shirkdog.us
>>>
>>>
>>>
>>> ________________________________
>>> Date: Tue, 28 Apr 2009 09:15:42 -0400
>>> From: jesler@sourcefire.com
>>> To: jlay@slave-tothe-box.net
>>> CC: snort-users@lists.sourceforge.net
>>> Subject: Re: [Snort-users] FYI: Empty IP used either as source IP or as
>>> destination IP in a rule. IP list: [].
>>>
>>> On Tue, Apr 28, 2009 at 8:54 AM, James Lay <jlay@slave-tothe-box.net>
>>> wrote:
>>>
>>> Ruleset gets updated at midnight:
>>>
>>>
>>> Apr 28 06:29:52 gateway snort[12383]: FATAL ERROR: >
>>> /chroot/snort/etc/snort/rules/emerging-drop.rules(49) => Empty IP used
>>> either as source IP or as destination IP in a rule. IP list: [].
>>>
>>> This is an emerging threats rule, so they'll see this email. However, I'd
>>> still love to see these IP lists developed into Firewall rules for different
>>> Firewalls, or even routers. People could then utilize the proper device to
>>> drop the traffic to and from these IPs instead of trying to use an IPS as a
>>> firewall. This has needed to be done for a long time coming now.
>>>
>>> --
>>> joel esler | Sourcefire | gtalk: jesler@sourcefire.com | 302-223-5974 |
>>> http://twitter.com/joelesler
>>>
>>> ________________________________
>>> Windows Live™ SkyDrive™: Get 25 GB of free online storage. Check it out.
>>>
>>> ------------------------------------------------------------------------------
>>> Register Now & Save for Velocity, the Web Performance & Operations
>>> Conference from O'Reilly Media. Velocity features a full day of
>>> expert-led, hands-on workshops and two days of sessions from industry
>>> leaders in dedicated Performance & Operations tracks. Use code vel09scf
>>> and Save an extra 15% before 5/3. http://p.sf.net/sfu/velocityconf
>>> _______________________________________________
>>> Snort-users mailing list
>>> Snort-users@lists.sourceforge.net
>>> Go to this URL to change user options or unsubscribe:
>>> https://lists.sourceforge.net/lists/listinfo/snort-users
>>> Snort-users list archive:
>>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>
>>
>> --
>> joel esler | Sourcefire | gtalk: jesler@sourcefire.com | 302-223-5974 |
>> http://twitter.com/joelesler
>>
>> ------------------------------------------------------------------------------
>> Register Now & Save for Velocity, the Web Performance & Operations
>> Conference from O'Reilly Media. Velocity features a full day of
>> expert-led, hands-on workshops and two days of sessions from industry
>> leaders in dedicated Performance & Operations tracks. Use code vel09scf
>> and Save an extra 15% before 5/3. http://p.sf.net/sfu/velocityconf
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users@lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>
>
> ------------------------------------------------------------------------------
> Register Now & Save for Velocity, the Web Performance & Operations
> Conference from O'Reilly Media. Velocity features a full day of
> expert-led, hands-on workshops and two days of sessions from industry
> leaders in dedicated Performance & Operations tracks. Use code vel09scf
> and Save an extra 15% before 5/3. http://p.sf.net/sfu/velocityconf
> _______________________________________________
> Snort-users mailing list
> Snort-users@lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
--
--------------------------------------------
Matthew Jonkman
Emerging Threats
Phone 765-429-0398
Fax 312-264-0205
http://www.emergingthreats.net
--------------------------------------------
PGP: http://www.jonkmans.com/mattjonkman.asc
------------------------------------------------------------------------------
Register Now & Save for Velocity, the Web Performance & Operations
Conference from O'Reilly Media. Velocity features a full day of
expert-led, hands-on workshops and two days of sessions from industry
leaders in dedicated Performance & Operations tracks. Use code vel09scf
and Save an extra 15% before 5/3. http://p.sf.net/sfu/velocityconf
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users