Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    RFC (make up a number not in use) - Blueprint for setting up snort + pfblocker

    Scheduled Pinned Locked Moved pfSense Packages
    171 Posts 26 Posters 187.0k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • ?
      A Former User
      last edited by

      IMPORTANT!!!

      I'm in the middle of transitioning to a different blacklist management, but for now the pfblocker lists will remain here since I don't have the time to update that part of the guide. Thanks to BBcan17 for his help with the blacklists.

      This update brings a couple dozen no longer needed rules, and I have now started adding an explanation of why I deleted a certain rule next to it, after <<<

      Enjoy.

      
      In tab "Rules", under "Category" select:
      (--- means blank table at time of writing)
      
      Auto-Flowbit rules > all except:
      8478 FILE-IDENTIFY Microsoft Office Publisher file magic detected
      23714 FILE-IDENTIFY Microsoft Office Publisher file magic detected
      >>>DISABLED:2
      
      emerging-activex > all
      >>>DISABLED:0
      
      emerging-attack_responses > all
      >>>DISABLED:0
      
      DO NOT USE! > emerging-botcc > use pfblocker with: http://rules.emergingthreats.net/fwrules/emerging-Block-IPs.txt <<< CARE!!! a lot of IRC servers are listed here. Try it first, an IRC network that you need to work, doesn't, then remove it.
      
      emerging-chat > all except:
      2010784 ET CHAT Facebook Chat (send message)
      2010785 ET CHAT Facebook Chat (buddy list)
      2010786 ET CHAT Facebook Chat (settings)
      2010819 ET CHAT Facebook Chat using XMPP
      2002327 ET CHAT Google Talk (Jabber) Client Login
      2002334 ET CHAT Google IM traffic Jabber client sign-on
      2001241 ET CHAT MSN file transfer request
      2001242 ET CHAT MSN file transfer accept
      2001243 ET CHAT MSN file transfer reject
      2001682 ET CHAT MSN IM Poll via HTTP
      2002192 ET CHAT MSN status change
      2008289 ET CHAT Possible MSN Messenger File Transfer
      2009375 ET CHAT General MSN Chat Activity
      2009376 ET CHAT MSN User-Agent Activity
      2001595 ET CHAT Skype VOIP Checking Version (Startup)
      2002157 ET CHAT Skype User-Agent detected
      2003022 ET CHAT Skype Bootstrap Node (udp)
      2000355 ET CHAT IRC authorization message [stops IRC from working]
      2002024 ET CHAT IRC NICK command [stops IRC from working]
      2002028 ET CHAT IRC PONG response [stops IRC from working]
      2002025 ET CHAT IRC JOIN command [stops IRC from working]
      2002026 ET CHAT IRC PRIVMSG command [stops IRC from working]
      >>DISABLED:22
      
      DO NOT USE! > emerging-ciarmy > use pfblocker with: http://www.ciarmy.com/list/ci-badguys.txt
      
      DO NOT USE! > emerging-compromised > use pfblocker with: http://rules.emergingthreats.net/blockrules/compromised-ips.txt
      
      emerging-current_events > all
      >>>DISABLED:0
      
      emerging-deleted > ---
      
      emerging-dns > all except:
      2008446 ET DNS Excessive DNS Responses with 1 or more RR's (100+ in 10 seconds) - possible Cache Poisoning Attempt
      2008470 ET DNS Excessive NXDOMAIN responses - Possible DNS Backscatter or Domain Generation Algorithm Lookups
      2001117 ET DNS Standard query response, Name Error
      >>>DISABLED:3
      
      emerging-dos > all
      >>>DISABLED:0
      
      DO NOT USE! > emerging-drop > use pfblocker with: http://list.iblocklist.com/?list=sh_drop&fileformat=p2p
      
      DO NOT USE! > emerging-dshield > use pfblocker with: http://rules.emergingthreats.net/blockrules/compromised-ips.txt
      
      emerging-exploit > all except:
      2001058 ET EXPLOIT libpng tRNS overflow attempt
      2002913 ET EXPLOIT VNC Client response
      2002914 ET EXPLOIT VNC Server VNC Auth Offer
      2002919 ET EXPLOIT VNC Good Authentication Reply
      2002915 ET EXPLOIT VNC Authentication Reply
      2002758 ET EXPLOIT WMF Escape Record Exploit - Version 1
      2002742 ET EXPLOIT WMF Escape Record Exploit - Version 3
      >>>DISABLED:7
      
      emerging-ftp > all
      2010731 ET FTP FTP CWD command attempt without login
      >>>DISABLED:1
      
      emerging-games > all
      >>>DISABLED:0
      
      emerging-icmp > ---
      
      emerging-icmp_info > ---
      
      emerging-imap > ---
      
      emerging-inappropriate > all except:
      2002925 ET INAPPROPRIATE Google Image Search, Safe Mode Off
      2001608 ET INAPPROPRIATE Likely Porn
      >>>DISABLED:2
      
      emerging-info > all except:
      2014472 ET INFO JAVA - Java Archive Download
      2014473 ET INFO JAVA - Java Archive Download By Vulnerable Client
      2014819 ET INFO Packed Executable Download
      2015016 ET INFO FTP STOR to External Network
      2015561 ET INFO PDF Using CCITTFax Filter
      2015744 ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)
      2016360 ET INFO JAVA - ClassID
      2016361 ET INFO JAVA - ClassID
      2016404 ET INFO MPEG Download Over HTTP (1)
      2015674 ET INFO 3XX redirect to data URL
      2016847 ET INFO Possible Chrome Plugin install
      2017669 ET INFO Zip File
      >>>DISABLED:12
      
      emerging-malware > all except:
      2008438 ET MALWARE Possible Windows executable sent when remote host claims to send a Text File
      2012228 ET MALWARE Suspicious Russian Content-Language Ru Which May Be Malware Related
      2012229 ET MALWARE Suspicious Chinese Content-Language zh-cn Which May be Malware Related
      >>>DISABLED:3
      
      emerging-misc > all
      >>>DISABLED:0
      
      emerging-mobile_malware > all except:
      2012251 ET MOBILE_MALWARE Google Android Device HTTP Request
      2012848 ET MOBILE_MALWARE Possible Mobile Malware POST of IMEI International Mobile Equipment Identity in URI
      >>>DISABLED:2
      
      emerging-netbios > all
      >>>DISABLED:0
      
      emerging-p2p > all except:
      2000369 ET P2P BitTorrent Announce
      2007727 ET P2P possible torrent download
      2008581 ET P2P BitTorrent DHT ping request
      2008583 ET P2P BitTorrent DHT nodes reply
      2008585 ET P2P BitTorrent DHT announce_peers request
      2010144 ET P2P Vuze BT UDP Connection (5)
      2011699 ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x)
      2016662 ET P2P Possible Bittorrent Activity - Multiple DNS Queries For tracker hosts
      2014734 ET P2P BitTorrent - Torrent File Downloaded
      2003317 ET P2P Edonkey Search Request (any type file)
      2009971 ET P2P eMule KAD Network Hello Request (2)
      2013869 ET P2P Torrent Client User-Agent (Solid Core/0.82)
      >>>DISABLED:12
      
      emerging-policy > all except:
      2000419 ET POLICY PE EXE or DLL Windows file download
      2000428 ET POLICY ZIP file download
      2001115 ET POLICY MSI (microsoft installer file) download
      2003595 ET POLICY exe download via HTTP - Informational
      2001898 ET POLICY eBay Bid Placed
      2001907 ET POLICY eBay Placing Item for sale
      2001908 ET POLICY eBay View Item
      2001909 ET POLICY eBay Watch This Item
      2003303 ET POLICY FTP Login Attempt (non-anonymous)
      2003410 ET POLICY FTP Login Successful
      2003121 ET POLICY docs.google.com Activity
      2003597 ET POLICY Google Calendar in Use
      2002801 ET POLICY Google Desktop User-Agent Detected
      2002838 ET POLICY Google Search Appliance browsing the Internet
      2000035 ET POLICY Hotmail Inbox Access
      2000036 ET POLICY Hotmail Message Access
      2000037 ET POLICY Hotmail Compose Message Access
      2000038 ET POLICY Hotmail Compose Message Submit
      2000039 ET POLICY Hotmail Compose Message Submit Data
      2008238 ET POLICY Hotmail Inbox Access
      2008239 ET POLICY Hotmail Message Access
      2008240 ET POLICY Hotmail Compose Message Access
      2008242 ET POLICY Hotmail Access Full Mode
      2006408 ET POLICY HTTP Request on Unusual Port Possibly Hostile
      2006409 ET POLICY HTTP POST on unusual Port Possibly Hostile
      2002330 ET POLICY Google Talk TLS Client Traffic
      2002332 ET POLICY Google IM traffic Windows client user sign-on
      2002333 ET POLICY Google IM traffic friend invited
      2002878 ET POLICY iTunes User Agent
      2002722 ET POLICY MP3 File Transfer Outbound
      2002723 ET POLICY MP3 File Transfer Inbound
      2001114 ET POLICY Mozilla XPI install files download
      2001973 ET POLICY SSH Server Banner Detected on Expected Port
      2001974 ET POLICY SSH Client Banner Detected on Expected Port
      2001975 ET POLICY SSHv2 Server KEX Detected on Expected Port
      2001976 ET POLICY SSHv2 Client KEX Detected on Expected Port
      2001977 ET POLICY SSHv2 Client New Keys detected on Expected Port
      2001978 ET POLICY SSH session in progress on Expected Port
      2001979 ET POLICY SSH Server Banner Detected on Unusual Port
      2001980 ET POLICY SSH Client Banner Detected on Unusual Port
      2001981 ET POLICY SSHv2 Server KEX Detected on Unusual Port
      2001982 ET POLICY SSHv2 Client KEX Detected on Unusual Port
      2001983 ET POLICY SSHv2 Client New Keys Detected on Unusual Port
      2001984 ET POLICY SSH session in progress on Unusual Port
      2009001 ET POLICY Login Credentials Possibly Passed in URI
      2009004 ET POLICY Login Credentials Possibly Passed in POST Data
      2003214 ET POLICY Pingdom.com Monitoring detected
      2003215 ET POLICY Pingdom.com Monitoring Node Active
      2001669 ET POLICY Proxy GET Request
      2001670 ET POLICY Proxy HEAD Request
      2001674 ET POLICY Proxy POST Request
      2001675 ET POLICY Proxy CONNECT Request
      2002922 ET POLICY VNC Authentication Successful
      2002920 ET POLICY VNC Authentication Failure
      2003026 ET POLICY Known SSL traffic on port 443 being excluded from SSL Alerts
      2004598 ET POLICY Known SSL traffic on port 9001 (aol) being excluded from SSL Alerts
      2003027 ET POLICY Known SSL traffic on port 8000 being excluded from SSL Alerts
      2003028 ET POLICY Known SSL traffic on port 8080 being excluded from SSL Alerts
      2003029 ET POLICY Known SSL traffic on port 8200 being excluded from SSL Alerts
      2003030 ET POLICY Known SSL traffic on port 8443 being excluded from SSL Alerts
      2003033 ET POLICY Known SSL traffic on port 2967 (Symantec) being excluded from SSL Alerts
      2003035 ET POLICY Known SSL traffic on port 3128 (proxy) being excluded from SSL Alerts
      2003036 ET POLICY Known SSL traffic on port 8080 (proxy) being excluded from SSL Alerts
      2003037 ET POLICY Known SSL traffic on port 8292 (Bloomberg) being excluded from SSL Alerts
      2003038 ET POLICY Known SSL traffic on port 8294 (Bloomberg) being excluded from SSL Alerts
      2003934 ET POLICY Known SSL traffic on port 1521 (Oracle) being excluded from SSL Alerts
      2008543 ET POLICY Known SSL traffic on port 995 (imaps) being excluded from SSL Alerts
      2003002 ET POLICY TLS/SSL Client Hello on Unusual Port TLS
      2003003 ET POLICY TLS/SSL Client Hello on Unusual Port SSLv3
      2003004 ET POLICY TLS/SSL Client Hello on Unusual Port Case 2
      2003005 ET POLICY TLS/SSL Client Hello on Unusual Port SSLv3
      2003006 ET POLICY TLS/SSL Client Key Exchange on Unusual Port
      2003007 ET POLICY TLS/SSL Client Key Exchange on Unusual Port SSLv3
      2003008 ET POLICY TLS/SSL Client Cipher Set on Unusual Port
      2003009 ET POLICY TLS/SSL Client Cipher Set on Unusual Port SSLv3
      2003010 ET POLICY TLS/SSL Server Hello on Unusual Port
      2003011 ET POLICY TLS/SSL Server Hello on Unusual Port SSLv3
      2003012 ET POLICY TLS/SSL Server Certificate Exchange on Unusual Port
      2003013 ET POLICY TLS/SSL Server Certificate Exchange on Unusual Port SSLv3
      2003014 ET POLICY TLS/SSL Server Key Exchange on Unusual Port
      2003015 ET POLICY TLS/SSL Server Key Exchange on Unusual Port SSLv3
      2003018 ET POLICY TLS/SSL Server Cipher Set on Unusual Port
      2003019 ET POLICY TLS/SSL Server Cipher Set on Unusual Port SSLv3
      2003020 ET POLICY TLS/SSL Encrypted Application Data on Unusual Port
      2003021 ET POLICY TLS/SSL Encrypted Application Data on Unusual Port SSLv3
      2007671 ET POLICY Binary Download Smaller than 1 MB Likely Hostile
      2001449 ET POLICY Proxy Connection detected
      2002822 ET POLICY Wget User Agent
      2002823 ET POLICY POSSIBLE Web Crawl using Wget
      2002824 ET POLICY CURL User Agent
      2002934 ET POLICY libwww-perl User Agent
      2002828 ET POLICY Googlebot User Agent
      2002829 ET POLICY Googlebot Crawl
      2002830 ET POLICY Msnbot User Agent
      2002831 ET POLICY Msnbot Crawl
      2002832 ET POLICY Yahoo Crawler User Agent
      2002833 ET POLICY Yahoo Crawler Crawl
      2010228 ET POLICY Suspicious Microsoft Windows NT 6.1 User-Agent Detected
      2002948 ET POLICY External Windows Update in Progress
      2002949 ET POLICY Windows Update in Progress
      2001402 ET POLICY ZIPPED DOC in transit
      2001403 ET POLICY ZIPPED XLS in transit
      2001404 ET POLICY ZIPPED EXE in transit
      2001405 ET POLICY ZIPPED PPT in transit
      2011874 ET POLICY NSPlayer User-Agent Windows Media Player streaming detected
      2012647 ET POLICY Dropbox.com Offsite File Backup in Use
      2012648 ET POLICY Dropbox Client Broadcasting
      2013028 ET POLICY curl User-Agent Outbound
      2013030 ET POLICY libwww-perl User-Agent
      2013031 ET POLICY Python-urllib/ Suspicious User Agent
      2013290 ET POLICY MOBILE Apple device leaking UDID from SpringBoard via GET
      2013414 ET POLICY Executable served from Amazon S3
      2013458 ET POLICY Facebook Like Button Clicked (1)
      2013459 ET POLICY Facebook Like Button Clicked (2)
      2013503 ET POLICY OS X Software Update Request Outbound
      2013504 ET POLICY GNU/Linux APT User-Agent Outbound likely related to package management
      2013505 ET POLICY GNU/Linux YUM User-Agent Outbound likely related to package management
      2014297 ET POLICY Vulnerable Java Version 1.7.x Detected
      2014313 ET POLICY Executable Download From DropBox
      2014919 ET POLICY Microsoft Online Storage Client Hello TLSv1 Possible SkyDrive (1)
      2014920 ET POLICY Microsoft Online Storage Client Hello TLSv1 Possible SkyDrive (2)
      2017015 ET POLICY DropBox User Content Access over SSL
      2001375 ET POLICY Credit Card Number Detected in Clear (16 digit spaced)
      2001376 ET POLICY Credit Card Number Detected in Clear (16 digit dashed)
      2001377 ET POLICY Credit Card Number Detected in Clear (16 digit)
      2001378 ET POLICY Credit Card Number Detected in Clear (15 digit)
      2001379 ET POLICY Credit Card Number Detected in Clear (15 digit spaced)
      2001380 ET POLICY Credit Card Number Detected in Clear (15 digit dashed)
      2001381 ET POLICY Credit Card Number Detected in Clear (14 digit)
      2001382 ET POLICY Credit Card Number Detected in Clear (14 digit spaced)
      2001383 ET POLICY Credit Card Number Detected in Clear (14 digit dashed)
      2009293 ET POLICY Credit Card Number Detected in Clear (15 digit spaced 2)
      2009294 ET POLICY Credit Card Number Detected in Clear (15 digit dashed 2)
      2001328 ET POLICY SSN Detected in Clear Text (dashed)
      2001384 ET POLICY SSN Detected in Clear Text (spaced)
      2007971 ET POLICY SSN Detected in Clear Text (SSN )
      2007972 ET POLICY SSN Detected in Clear Text (SSN# )
      2011854 ET POLICY Java JAR file download
      2002749 ET POLICY Unallocated IP Space Traffic - Bogon Nets   <<<<<<<< handled by ticking block bogon networks in interface settings
      2002752 ET POLICY Reserved Internal IP Traffic    <<<<<<<<<<<<< handled by ticking block private networks in interface settings
      2000418 ET POLICY Executable and linking format (ELF) file download
      2002658 ET POLICY EIN in the clear (US-IRS Employer ID Number)
      2016877 ET POLICY Unsupported/Fake FireFox Version 2.
      2013296 ET POLICY Free SSL Certificate Provider (StartCom Class 1 Primary Intermediate Server CA)
      2010815 ET POLICY Incoming Connection Attempt From Amazon EC2 Cloud
      2013255 ET POLICY Majestic12 User-Agent Request Inbound
      2014726 ET POLICY Outdated Windows Flash Version IE
      2012911 ET POLICY URL Contains password Parameter
      2011085 ET POLICY HTTP Redirect to IPv4 Address
      2009303 ET POLICY MediaFire file download service access
      2000356 ET POLICY IRC connection [stops IRC from working, misses a lot of real IRC connections]
      >>>DISABLED:151
      
      emerging-pop3 > ---
      
      DO NOT USE! > emerging-rbn-malvertisers > use pfblocker with: !!!LIST REMOVED!!! LOOKING FOR SUGGESTIONS
      
      DO NOT USE! > emerging-rbn > use pfblocker with: !!!LIST REMOVED!!! LOOKING FOR SUGGESTIONS
      
      emerging-rpc > ---
      
      emerging-scada > all
      >>>DISABLED:0
      
      emerging-scan > all except
      2002992 ET SCAN Rapid POP3 Connections - Possible Brute Force Attack
      2002993 ET SCAN Rapid POP3S Connections - Possible Brute Force Attack
      2002994 ET SCAN Rapid IMAP Connections - Possible Brute Force Attack
      2002995 ET SCAN Rapid IMAPS Connections - Possible Brute Force Attack
      2011367 ET SCAN TCP Traffic (ET SCAN Malformed Packet SYN FIN)
      >>>DISABLED:5
      
      emerging-shellcode > all except
      2011803 ET SHELLCODE Possible TCP x86 JMP to CALL Shellcode Detected
      2012252 ET SHELLCODE Common 0a0a0a0a Heap Spray String
      2012257 ET SHELLCODE Common %0c%0c%0c%0c Heap Spray String
      2012510 ET SHELLCODE UTF-8/16 Encoded Shellcode
      2013222 ET SHELLCODE Excessive Use of HeapLib Objects Likely Malicious Heap Spray Attempt
      2013267 ET SHELLCODE Hex Obfuscated JavaScript Heap Spray 0a0a0a0a
      2012256 ET SHELLCODE Common 0c0c0c0c Heap Spray String
      >>>DISABLED:7
      
      emerging-smtp > all
      >>>DISABLED:0
      
      emerging-snmp > all
      >>>DISABLED:0
      
      emerging-sql > all
      >>>DISABLED:0
      
      emerging-telnet > all
      >>>DISABLED:0
      
      emerging-tftp > all
      >>>DISABLED:0
      
      DO NOT USE! > emerging-tor > use pfblocker with http://list.iblocklist.com/?list=tor&fileformat=p2p
      
      emerging-trojan > all except:
      2009205 ET TROJAN Possible Downadup/Conficker-C P2P encrypted traffic UDP Ping Packet (bit value 1)
      2009206 ET TROJAN Possible Downadup/Conficker-C P2P encrypted traffic UDP Ping Packet (bit value 4)
      2009207 ET TROJAN Possible Downadup/Conficker-C P2P encrypted traffic UDP Ping Packet (bit value 5)
      2009208 ET TROJAN Possible Downadup/Conficker-C P2P encrypted traffic UDP Ping Packet (bit value 16)
      2001046 ET TROJAN UPX compressed file download possible malware
      >>>DISABLED:5
      
      emerging-user_agents > all except:
      2010697 ET USER_AGENTS Suspicious User-Agent Beginning with digits - Likely spyware/trojan
      >>>DISABLED:1
      
      emerging-voip > all
      >>>DISABLED:0
      
      emerging-web_client > all except
      2011347 ET WEB_CLIENT Possible String.FromCharCode Javascript Obfuscation Attempt
      2011507 ET WEB_CLIENT PDF With Embedded File
      2010518 ET WEB_CLIENT Possible HTTP 404 XSS Attempt (External Source)
      2012056 ET WEB_CLIENT Flash Player Flash6.ocx AllowScriptAccess Denial of Service
      2012075 ET WEB_CLIENT Possible Internet Explorer CSS Parser Remote Code Execution Attempt
      2012119 ET WEB_CLIENT Possible Hex Obfuscation Usage On Webpage
      2012205 ET WEB_CLIENT Possible Malicious String.fromCharCode with charCodeAt String
      2012266 ET WEB_CLIENT Hex Obfuscation of unescape % Encoding
      2012272 ET WEB_CLIENT Hex Obfuscation of eval % Encoding
      2012398 ET WEB_CLIENT Hex Obfuscation of replace Javascript Function % Encoding
      2010527 ET WEB_CLIENT Possible HTTP 503 XSS Attempt (External Source)
      2010931 ET WEB_CLIENT Possible IE iepeers.dll Use-after-free Code Execution Attempt
      2011764 ET WEB_CLIENT Possible Microsoft Internet Explorer mshtml.dll Timer ID Memory Pointer Information Disclosure Attempt
      >>>DISABLED:13
      
      emerging-web_server > all except
      2003099 ET WEB_SERVER Poison Null Byte
      2015526 ET WEB_SERVER Fake Googlebot UA 1 Inbound
      2015527 ET WEB_SERVER Fake Googlebot UA 2 Inbound
      2016676 ET WEB_SERVER SQL Errors in HTTP 200 Response (ORA-)
      2016672 ET WEB_SERVER SQL Errors in HTTP 200 Response (error in your SQL syntax)
      2009151 ET WEB_SERVER PHP Generic Remote File Include Attempt (HTTP)
      >>>DISABLED:5
      
      emerging-web_specific_apps > all except:
      2010890 ET WEB_SPECIFIC_APPS phpBB3 registration (Step1 GET)
      2010891 ET WEB_SPECIFIC_APPS phpBB3 registration (Step2 POST)
      2010892 ET WEB_SPECIFIC_APPS phpBB3 registration (Step3 GET)
      2010893 ET WEB_SPECIFIC_APPS phpBB3 registration (Step4 POST)
      2003508 ET WEB_SPECIFIC_APPS Wordpress wp-login.php redirect_to credentials stealing attempt
      >>>DISABLED:5
      
      emerging-worm > all
      >>>DISABLED:0
      
      GPLv2 community rules > all except
      254 DNS SPOOF query response with TTL of 1 min. and no authority
      384 PROTOCOL-ICMP PING
      385 PROTOCOL-ICMP traceroute
      399 PROTOCOL-ICMP Destination Unreachable Host Unreachable
      402 PROTOCOL-ICMP Destination Unreachable Port Unreachable
      408 PROTOCOL-ICMP Echo Reply
      540 POLICY-SOCIAL Microsoft MSN message
      648 INDICATOR-SHELLCODE x86 NOOP
      649 INDICATOR-SHELLCODE x86 setgid 0
      1200 INDICATOR-COMPROMISE Invalid URL
      1201 INDICATOR-COMPROMISE 403 Forbidden
      1292 INDICATOR-COMPROMISE directory listing
      1390 INDICATOR-SHELLCODE x86 inc ebx NOOP
      1394 INDICATOR-SHELLCODE x86 inc ecx NOOP
      1437 FILE-IDENTIFY Microsoft Windows Media download detected
      1841 FILE-OTHER Oracle Javascript URL host spoofing attempt
      1846 POLICY-MULTIMEDIA vncviewer Java applet download attempt
      1852 SERVER-WEBAPP robots.txt access
      1986 POLICY-SOCIAL Microsoft MSN outbound file transfer request
      1988 POLICY-SOCIAL Microsoft MSN outbound file transfer accept
      1989 POLICY-SOCIAL Microsoft MSN outbound file transfer rejected
      1990 POLICY-SOCIAL Microsoft MSN user search
      1991 POLICY-SOCIAL Microsoft MSN login attempt
      2180 PUA-P2P BitTorrent announce request
      2181 PUA-P2P BitTorrent transfer
      2707 FILE-IMAGE JPEG parser multipacket heap overflow
      3463 SERVER-WEBAPP awstats access
      25518 OS-OTHER Apple iPod User-Agent detected
      25519 OS-OTHER Apple iPad User-Agent detected
      25520 OS-OTHER Apple iPhone User-Agent detected
      25521 OS-OTHER Android User-Agent detected
      25522 OS-OTHER Nokia User-Agent detected
      25523 OS-OTHER Samsung User-Agent detected
      25524 OS-OTHER Kindle User-Agent detected
      25525 OS-OTHER Nintendo User-Agent detected
      2417 PROTOCOL-FTP format string attempt
      1377 PROTOCOL-FTP wu-ftp bad file completion attempt
      1378 PROTOCOL-FTP wu-ftp bad file completion attempt
      
      >>>DISABLED:38
      
      IPS Policy - Security > all except
      19436 BROWSER-IE Microsoft Internet Explorer CStyleSheetRule array memory corruption attempt
      18196 BROWSER-IE Microsoft Internet Explorer CSS importer use-after-free attempt
      16482 BROWSER-IE Microsoft Internet Explorer userdata behavior memory corruption attempt
      25459 FILE-PDF Adobe Reader incomplete JP2K image geometry - potentially malicious
      16320 WEB-CLIENT Adobe PNG empty sPLT exploit attempt
      15975 WEB-CLIENT OpenOffice TIFF file in little endian format parsing integer overflow attempt
      15976 WEB-CLIENT OpenOffice TIFF file in big endian format parsing integer overflow attempt
      13360 APP-DETECT failed FTP login attempt
      23098 FILE-MULTIMEDIA Adobe Flash Player MP4 sequence parameter set parsing overflow attempt
      14772 WEB-CLIENT libpng malformed chunk denial of service attempt
      29466 FILE-OTHER Corel PDF fusion XPS stack buffer overflow attempt
      27948 FILE-OFFICE Microsoft Office Excel rtMergeCells heap overflow attempt
      17153 BROWSER-FIREFOX Mozilla Firefox plugin parameter array dangling pointer exploit attempt - 1 <<< Affects systems running the Firefox ActiveX control (firefox 3.6.7). No longer needed, delete upstream.
      17154 BROWSER-FIREFOX Mozilla Firefox plugin parameter array dangling pointer exploit attempt - 2 <<< Affects systems running the Firefox ActiveX control (firefox 3.6.7). No longer needed, delete upstream.
      19713 BROWSER-FIREFOX Mozilla Array.reduceRight integer overflow <<< Affects Firefox v1.0-4.0.1\. No longer needed, delete upstream.
      19714 BROWSER-FIREFOX Mozilla Array.reduceRight integer overflow <<< Affects Firefox v1.0-4.0.1\. No longer needed, delete upstream.
      19321 BROWSER-FIREFOX Mozilla Products nsCSSValue Array Index Integer Overflow  <<< Affects Firefox v3.5.1-3.6.6.  No longer needed, delete upstream.
      19292 BROWSER-FIREFOX Mozilla Firefox appendChild use-after-free attempt <<< Affects Firefox v3.5-3.6.9.  No longer needed, delete upstream.
      19078 BROWSER-FIREFOX Mozilla Firefox html tag attributes memory corruption <<< Affects Firefox v3.5-3.6.9.  No longer needed, delete upstream.
      19077 BROWSER-FIREFOX Mozilla Firefox appendChild use-after-free attempt <<< Affects Firefox v3.5-3.6.9.  No longer needed, delete upstream.
      19076 BROWSER-FIREFOX Mozilla Firefox appendChild use-after-free attempt <<< Affects Firefox v3.5-3.6.9.  No longer needed, delete upstream.
      17804 BROWSER-FIREFOX Mozilla Firefox html tag attributes memory corruption <<< Affects Firefox v3.5-3.6.9.  No longer needed, delete upstream.
      25233 BROWSER-FIREFOX appendChild multiple parent nodes stack corruption attempt <<< Affects Firefox v1.0-3.6.9.  No longer needed, delete upstream.
      25232 BROWSER-FIREFOX appendChild multiple parent nodes stack corruption attempt <<< Affects Firefox v1.0-3.6.9.  No longer needed, delete upstream.
      25228 BROWSER-FIREFOX Mozilla Firefox iframe and xul element reload crash attempt <<< Affects Firefox v1.0-3.6.9.  No longer needed, delete upstream.
      25227 BROWSER-FIREFOX Mozilla Firefox iframe and xul element reload crash attempt <<< Affects Firefox v1.0-3.6.9.  No longer needed, delete upstream.
      24994 BROWSER-FIREFOX Mozilla Firefox onChannelRedirect method attempt <<< Affects Firefox v1.0-3.6.9.  No longer needed, delete upstream.
      24188 BROWSER-FIREFOX Mozilla Array.reduceRight integer overflow <<< Affects Firefox v1.0-4.0.1.  No longer needed, delete upstream.
      24187 BROWSER-FIREFOX Mozilla Array.reduceRight integer overflow <<< Affects Firefox v1.0-4.0.1.  No longer needed, delete upstream.
      21363 BROWSER-FIREFOX Mozilla Firefox appendChild use-after-free attempt <<< Affects Firefox v3.5-3.6.9.  No longer needed, delete upstream.
      20072 BROWSER-FIREFOX Mozilla Firefox nsTreeRange Use After Free attempt <<< Affects Firefox v1.0-3.6.9.  No longer needed, delete upstream.
      16502 BROWSER-FIREFOX Mozilla Firefox WOFF font processing integer overflow attempt - CFF-based <<< Affects Firefox v3.6.  No longer needed, delete upstream.
      16501 BROWSER-FIREFOX Mozilla Firefox WOFF font processing integer overflow attempt - TrueType <<< Affects Firefox v3.6.  No longer needed, delete upstream.
      29503 BROWSER-FIREFOX Mozilla Products SVG text content element getCharNumAtPosition use after free attempt <<< Affects Firefox v1.0-5.0.  No longer needed, delete upstream.
      >>DISABLED:34
      
      preprocessor.rules > all except (first_column:second_column details)
      119:2 HI_CLIENT_DOUBLE_DECODE
      119:4 HI_CLIENT_BARE_BYTE
      119:7 HI_CLIENT_IIS_UNICODE
      119:14 HI_CLIENT_NON_RFC_CHAR
      119:31 HI_CLIENT_UNKNOWN_METHOD
      119:32 HI_CLIENT_SIMPLE_REQUEST
      120:2 HI_SERVER_INVALID_STATCODE
      120:3 HI_SERVER_NO_CONTLEN
      120:4 HI_SERVER_UTF_NORM_FAIL
      120:6 HI_SERVER_DECOMPR_FAILED
      120:8 HI_CLISRV_MSG_SIZE_EXCEPTION
      120:9 HI_SERVER_JS_OBFUSCATION_EXCD
      120:10 HI_SERVER_JS_EXCESS_WS
      122:1 PSNG_TCP_PORTSCAN
      122:4 PSNG_TCP_DISTRIBUTED_PORTSCAN
      122:17 PSNG_UDP_PORTSCAN
      122:20 PSNG_UDP_DISTRIBUTED_PORTSCAN
      124:3 SMTP_RESPONSE_OVERFLOW
      124:10 SMTP_B64_DECODING_FAILED
      125:1 FTPP_FTP_TELNET_CMD
      125:2 FTPP_FTP_INVALID_CMD
      125:7 FTPP_FTP_ENCRYPTED
      125:9 FTPP_FTP_EVASIVE_TELNET_CMD
      137:1 SSL_INVALID_CLIENT_HELLO
      141:1 IMAP_UNKNOWN_CMD <<< pending upstream update
      141:2 IMAP_UNKNOWN_RESP <<< pending upstream update
      145:2 DNP3_DROPPED_FRAME
      DISABLED>>>27
      
      DO NOT USE! > sensitive-data.rules > NONE enabled
      
      Suppression list:
      
      #GLOBAL
      # gen_id 1
      suppress gen_id 1, sig_id 536
      suppress gen_id 1, sig_id 653
      suppress gen_id 1, sig_id 2452
      suppress gen_id 1, sig_id 11192
      suppress gen_id 1, sig_id 15306
      suppress gen_id 1, sig_id 16313
      suppress gen_id 1, sig_id 17458
      suppress gen_id 1, sig_id 20583
      suppress gen_id 1, sig_id 2000334
      suppress gen_id 1, sig_id 2008120
      suppress gen_id 1, sig_id 2010516
      suppress gen_id 1, sig_id 20122758
      suppress gen_id 1, sig_id 2014518
      suppress gen_id 1, sig_id 2014520
      suppress gen_id 1, sig_id 2100366
      suppress gen_id 1, sig_id 2100368
      suppress gen_id 1, sig_id 2100651
      suppress gen_id 1, sig_id 2101390
      suppress gen_id 1, sig_id 2101424
      suppress gen_id 1, sig_id 2102314
      suppress gen_id 1, sig_id 2103134
      suppress gen_id 1, sig_id 2500056
      suppress gen_id 1, sig_id 100000230
      suppress gen_id 3, sig_id 14772
      #(IMAP) Unknown IMAP4 command
      suppress gen_id 141, sig_id 1
      
      pfBlocker extra lists:
      TYPE LIST
      txt http://www.spamhaus.org/drop/drop.txt
      txt http://www.spamhaus.org/drop/edrop.txt
      
      
      1 Reply Last reply Reply Quote 0
      • R
        Ramosel
        last edited by

        Since you have changed the format of how you are posting the updates in this post, is this a repost of the March 15th update or something new?

        Rick

        1 Reply Last reply Reply Quote 0
        • ?
          A Former User
          last edited by

          @Ramosel:

          Since you have changed the format of how you are posting the updates in this post, is this a repost of the March 15th update or something new?

          Rick

          See quote and rule sample:
          @jflsakfja:

          This update brings a couple dozen no longer needed rules, and I have now started adding an explanation of why I deleted a certain rule next to it, after <<<

          
          17153 BROWSER-FIREFOX Mozilla Firefox plugin parameter array dangling pointer exploit attempt - 1 <<< Affects systems running the Firefox ActiveX control (firefox 3.6.7). No longer needed, delete upstream.
          17154 BROWSER-FIREFOX Mozilla Firefox plugin parameter array dangling pointer exploit attempt - 2 <<< Affects systems running the Firefox ActiveX control (firefox 3.6.7). No longer needed, delete upstream.
          19713 BROWSER-FIREFOX Mozilla Array.reduceRight integer overflow <<< Affects Firefox v1.0-4.0.1\. No longer needed, delete upstream.
          19714 BROWSER-FIREFOX Mozilla Array.reduceRight integer overflow <<< Affects Firefox v1.0-4.0.1\. No longer needed, delete upstream.
          19321 BROWSER-FIREFOX Mozilla Products nsCSSValue Array Index Integer Overflow  <<< Affects Firefox v3.5.1-3.6.6.  No longer needed, delete upstream.
          19292 BROWSER-FIREFOX Mozilla Firefox appendChild use-after-free attempt <<< Affects Firefox v3.5-3.6.9.  No longer needed, delete upstream.
          19078 BROWSER-FIREFOX Mozilla Firefox html tag attributes memory corruption <<< Affects Firefox v3.5-3.6.9.  No longer needed, delete upstream.
          19077 BROWSER-FIREFOX Mozilla Firefox appendChild use-after-free attempt <<< Affects Firefox v3.5-3.6.9.  No longer needed, delete upstream.
          19076 BROWSER-FIREFOX Mozilla Firefox appendChild use-after-free attempt <<< Affects Firefox v3.5-3.6.9.  No longer needed, delete upstream.
          17804 BROWSER-FIREFOX Mozilla Firefox html tag attributes memory corruption <<< Affects Firefox v3.5-3.6.9.  No longer needed, delete upstream.
          25233 BROWSER-FIREFOX appendChild multiple parent nodes stack corruption attempt <<< Affects Firefox v1.0-3.6.9.  No longer needed, delete upstream.
          25232 BROWSER-FIREFOX appendChild multiple parent nodes stack corruption attempt <<< Affects Firefox v1.0-3.6.9.  No longer needed, delete upstream.
          25228 BROWSER-FIREFOX Mozilla Firefox iframe and xul element reload crash attempt <<< Affects Firefox v1.0-3.6.9.  No longer needed, delete upstream.
          25227 BROWSER-FIREFOX Mozilla Firefox iframe and xul element reload crash attempt <<< Affects Firefox v1.0-3.6.9.  No longer needed, delete upstream.
          24994 BROWSER-FIREFOX Mozilla Firefox onChannelRedirect method attempt <<< Affects Firefox v1.0-3.6.9.  No longer needed, delete upstream.
          24188 BROWSER-FIREFOX Mozilla Array.reduceRight integer overflow <<< Affects Firefox v1.0-4.0.1.  No longer needed, delete upstream.
          24187 BROWSER-FIREFOX Mozilla Array.reduceRight integer overflow <<< Affects Firefox v1.0-4.0.1.  No longer needed, delete upstream.
          21363 BROWSER-FIREFOX Mozilla Firefox appendChild use-after-free attempt <<< Affects Firefox v3.5-3.6.9.  No longer needed, delete upstream.
          20072 BROWSER-FIREFOX Mozilla Firefox nsTreeRange Use After Free attempt <<< Affects Firefox v1.0-3.6.9.  No longer needed, delete upstream.
          16502 BROWSER-FIREFOX Mozilla Firefox WOFF font processing integer overflow attempt - CFF-based <<< Affects Firefox v3.6.  No longer needed, delete upstream.
          16501 BROWSER-FIREFOX Mozilla Firefox WOFF font processing integer overflow attempt - TrueType <<< Affects Firefox v3.6.  No longer needed, delete upstream.
          29503 BROWSER-FIREFOX Mozilla Products SVG text content element getCharNumAtPosition use after free attempt <<< Affects Firefox v1.0-5.0.  No longer needed, delete upstream.
          
          
          1 Reply Last reply Reply Quote 0
          • G
            G.D. Wusser Esq.
            last edited by

            I have a quick question about mechanics of what exactly this rule is detecting.

            @jflsakfja:

            2017015 ET POLICY DropBox User Content Access over SSL

            The source IP is an AWS address. The source port is 443. The destination IP is a local computer that does not (or should not) have drop box installed. The destination port is in 15-thousands (15067, 15068).

            What is triggering this rule? Would simply clicking on a link, to download a file in web browser, or accessing a page with hot-linked https dropbox content, allow the AWS hosted computer to send traffic back on a port already opened by the browser? Or is this an indication of a secret drop box client installed by a hacker, and then used to send payload to the compromised computer?

            Could it be one, or another, or both?

            Thank you.

            1 Reply Last reply Reply Quote 0
            • BBcan177B
              BBcan177 Moderator
              last edited by

              @G.D.:

              2017015 ET POLICY DropBox User Content Access over SSL

              The source IP is an AWS address. The source port is 443. The destination IP is a local computer that does not (or should not) have drop box installed. The destination port is in 15-thousands (15067, 15068).

              What is triggering this rule? Would simply clicking on a link, to download a file in web browser, or accessing a page with hot-linked https dropbox content, allow the AWS hosted computer to send traffic back on a port already opened by the browser? Or is this an indication of a secret drop box client installed by a hacker, and then used to send payload to the compromised computer?

              Could it be one, or another, or both?

              This is the rule

              alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET POLICY DropBox User Content Access over SSL"; flow:established,from_server; content:"|55 04 03|"; content:"|18|*.dropboxusercontent.com"; nocase; distance:1; within:25; reference:url,www.dropbox.com/help/201/en; classtype:policy-violation; sid:2017015; rev:6;)

              This is the reference URL in the rule  https://www.dropbox.com/help/201/en  which doesn't say too much.

              There is a lot of Crap on AWS. I found the following reference -

              "Data uploaded by the Dropbox client software is also encrypted before it is uploaded to Dropbox servers. Dropbox stores files on Amazon's S3 service. The company encrypts files with 256-bit AES before transmitting them to Amazon's servers via an SSL connection. However, Dropbox employees can decrypt these files, as can the Dropbox system."

              Maybe posting on the Snort forum would get the right information for this type of question.

              https://groups.google.com/forum/#!forum/mailing.unix.snort

              "Experience is something you don't get until just after you need it."

              Website: http://pfBlockerNG.com
              Twitter: @BBcan177  #pfBlockerNG
              Reddit: https://www.reddit.com/r/pfBlockerNG/new/

              1 Reply Last reply Reply Quote 0
              • bmeeksB
                bmeeks
                last edited by

                @G.D.:

                I have a quick question about mechanics of what exactly this rule is detecting.

                @jflsakfja:

                2017015 ET POLICY DropBox User Content Access over SSL

                The source IP is an AWS address. The source port is 443. The destination IP is a local computer that does not (or should not) have drop box installed. The destination port is in 15-thousands (15067, 15068).

                What is triggering this rule? Would simply clicking on a link, to download a file in web browser, or accessing a page with hot-linked https dropbox content, allow the AWS hosted computer to send traffic back on a port already opened by the browser? Or is this an indication of a secret drop box client installed by a hacker, and then used to send payload to the compromised computer?

                Could it be one, or another, or both?

                Thank you.

                In addition to what user BBcan177 stated and provided above with regards to this alert, my guess is a client computer on your network clicked on a web link that downloads Dropbox content.  You do not have to have the Dropbox client installed to download and view someone else's content.  I don't have Dropbox on my LAN, but my family has sent me links to photos hosted on their Dropbox accounts.  So my bet is one of your LAN users clicked a link in an e-mail or even a web page that then connects via https:// to Dropbox to grab the content.  The Snort rule is simply alerting on that action.

                Bill

                1 Reply Last reply Reply Quote 0
                • G
                  G.D. Wusser Esq.
                  last edited by

                  Thank you for the explanation. I appreciate it. It seems somewhat counter-intuitive to me that Snort would ignore the outgoing request for the prohibited resource, and only catch it on the way back, when the remote server starts transmitting to the local port.

                  I have much to learn about Snort.

                  1 Reply Last reply Reply Quote 0
                  • ?
                    A Former User
                    last edited by

                    Warning: This post may contain rage directed at the snort/suricata rule writers. It does NOT contain rage directed at any of the poor souls trying to make a usable product of the mess that is The Rules.

                    And rule writers have an order of magnitude more than you to learn about writing rules and/or using snort. (translation-and-a-fact-actually:MOST rule writers have no idea what a rule is and what a rule does)

                    Snippet from the upcoming blueprint for suricata:
                    2010228 ET POLICY Suspicious Microsoft Windows NT 6.1 User-Agent Detected <<< so WTF is windows 7 then???

                    Since nobody on the entire internet reads this topic, that brutal FP rule will never be corrected. Trillions upon quadrillions of man hours will be wasted to disable that rule, after thousands upon thousands of debates on whether Windows 7 is version 7 or version 6 (hint:it's 6.1 and the rule fires up after a clean install's first time updates).

                    The Golden Standards for Rule Writing

                    1. Rules should detect what they are designed to detect (most rules actually do this)
                    2. A rule to detect a successful ftp login is not only idiotic, it's an insult of my intelligence. Applies to apt-get rule as well.
                    3. A rule set up on an abacus then carried over to snort should REALLY be dropped. No arguments, no what-ifs, no think-of-the-children, no terrorism (includes cyberterrorism). Just build up the courage and delete old rules already. Nobody needs them.

                    Most rules meet only point 1. There are exceptions of course.
                    I'll be updating this topic for the last time in the coming days. After that, the suricata blueprint will take over.

                    Note to those that say "ZOMG!!!oneeleven WHAT ABOUT DETECTING WINDOWS 7 WHEN YOU ARE ON AN ALL LINUX NETWORK????".

                    1. THERE IS NOTHING SUSPICIOUS ABOUT A VALID WINDOWS RELEASE! (other than the three-letter-agencies backdoors of course)
                    2. If you don't know what os each host runs, please consider a career change.
                    3. If a host whose OS you don't know managed to get on "The Internet", then you have bigger problems. Please see 2.
                    1 Reply Last reply Reply Quote 0
                    • R
                      Ramosel
                      last edited by

                      @jflsakfja:

                      I'll be updating this topic for the last time in the coming days. After that, the suricata blueprint will take over.

                      First off, thank you for your efforts in this thread, I have found it most useful and the more I understand about it, most clever in its use and implementation of pfSense/pfBlocker/Snort as a system

                      I don't know that this is a question or just a curiosity…  what I have read, questioned and talked to friends about in the Snort/Suricata debate, points to the big advantage of Suricata is its true "inline" functionality.  At this time, it is my understanding that this true "inline" functionality can not be invoked under pfSense due to changes needed in pfSense itself.  Given those two pieces of the puzzle, what would be the impetus for moving to Suricata "at this time"?

                      To further obfuscate the curiosity, the Snort fanboys insist that by the time pfSense gets "fixed" for the inline functionality that Snort will be updated to also offer this ability.  My question then was whether an inline Snort would also require its own pfSense core change?… to which I got blank stares and silence.

                      Rick

                      1 Reply Last reply Reply Quote 0
                      • bmeeksB
                        bmeeks
                        last edited by

                        @G.D.:

                        Thank you for the explanation. I appreciate it. It seems somewhat counter-intuitive to me that Snort would ignore the outgoing request for the prohibited resource, and only catch it on the way back, when the remote server starts transmitting to the local port.

                        I have much to learn about Snort.

                        The outgoing request from your LAN client may well not contain all the "triggers" needed by the rule.  Only the data coming back contained everything necessary (and in the right order) to trigger the rule.

                        Bill

                        1 Reply Last reply Reply Quote 0
                        • bmeeksB
                          bmeeks
                          last edited by

                          @Ramosel:

                          @jflsakfja:

                          I'll be updating this topic for the last time in the coming days. After that, the suricata blueprint will take over.

                          First off, thank you for your efforts in this thread, I have found it most useful and the more I understand about it, most clever in its use and implementation of pfSense/pfBlocker/Snort as a system

                          I don't know that this is a question or just a curiosity…  what I have read, questioned and talked to friends about in the Snort/Suricata debate, points to the big advantage of Suricata is its true "inline" functionality.  At this time, it is my understanding that this true "inline" functionality can not be invoked under pfSense due to changes needed in pfSense itself.  Given those two pieces of the puzzle, what would be the impetus for moving to Suricata "at this time"?

                          To further obfuscate the curiosity, the Snort fanboys insist that by the time pfSense gets "fixed" for the inline functionality that Snort will be updated to also offer this ability.  My question then was whether an inline Snort would also require its own pfSense core change?… to which I got blank stares and silence.

                          Rick

                          There are (well, actually, "will be") two ways to implement in-line mode in Snort and Suricata.  One utilizes ipfw.  This is the part of pfSense that today does not fully function in IPS mode.  It's also the mode, that even if fixed to work, will still offer very poor performance throughput due to the swaps back and forth between kernel space and user land for packets.  The other mechanism that really offers promise is Netmap.  This is now part of FreeBSD 10, and I assume (but have not verified) it is in pfSense 2.2.  There is a feature request that is currently showing as 50% complete in the Suricata source tree to add a Netmap API module so that Suricata can use it.  I'm not sure why the feature is not 100% finished yet.

                          Back to Snort.  Snort's DAQ module that does all the packet acquisition can utilize ipfw on BSD systems to do in-line drops.  I have not seen anything about Netmap support in Snort yet, though.  Somebody may be contemplating it, but I did not see any links in my initial searches.

                          So to summarize – the ideal way forward is to use the Netmap support in FreeBSD 10 as the architecture for implementing inline IPS in Suricata (and maybe even Snort).  However, we are now in a waiting game while those two upstream source trees fully incorporate Netmap support.  In my view, ipfw is probably a lost cause due first to the potential performance issues, and second to the fact it would have to be updated in the pfSense code in order to work correctly.

                          As to liking Suricata over Snort (or vice-versa), that is really mostly personal preference at this time.  Maybe if Suricata gets full Netmap support and Snort does not, then the choice becomes more clear cut.

                          Bill

                          1 Reply Last reply Reply Quote 0
                          • ?
                            A Former User
                            last edited by

                            @Ramosel:

                            @jflsakfja:

                            I'll be updating this topic for the last time in the coming days. After that, the suricata blueprint will take over.

                            First off, thank you for your efforts in this thread, I have found it most useful and the more I understand about it, most clever in its use and implementation of pfSense/pfBlocker/Snort as a system

                            I don't know that this is a question or just a curiosity…  what I have read, questioned and talked to friends about in the Snort/Suricata debate, points to the big advantage of Suricata is its true "inline" functionality.  At this time, it is my understanding that this true "inline" functionality can not be invoked under pfSense due to changes needed in pfSense itself.  Given those two pieces of the puzzle, what would be the impetus for moving to Suricata "at this time"?

                            To further obfuscate the curiosity, the Snort fanboys insist that by the time pfSense gets "fixed" for the inline functionality that Snort will be updated to also offer this ability. My question then was whether an inline Snort would also require its own pfSense core change?… to which I got blank stares and silence.

                            Rick

                            Snort inline is dead. Any hope of resurrecting the project (coming from die hard snort fans, companies funneling trillions of $ into snort inline, fanbois, not related passers by) is nothing more than a hope. As an added nail in snort inline's coffin is that pretty much all development for it has stopped when suricata was born, since most (all?) developers (wrt inline) moved over to that project.

                            Just to put it in plain sight: snort inline is DEAD. Any future posts mentioning snort inline should be accompanied by "R.I.P. snort inline". If you want that functionality, migrate to suricata. As for all the (inevitably) coming [citation needed] posts, I'm not the one saying snort inline is dead, migrate to suricata. It's actually snort inline's site. Here I'll make everybody's life easier: http://snort-inline.sourceforge.net/

                            Right now the best course forward is to work as much as we can to get suricata fully functional under pfsense. Even if the inline part doesn't get implemented for another 40 years, the foundations will be there when it does. I know this will upset everybody related to snort, but now that cisco has taken over snort, I'm waiting for the announcement that snort will no longer be supported any day now. Maybe tomorrow. Maybe the day after that. Maybe next week. It WILL be here eventually.

                            1 Reply Last reply Reply Quote 0
                            • ?
                              A Former User
                              last edited by

                              This is the final rule post in this topic. Moving forward, the rules will be found in the suricata topic, which I'll create in a couple of days. I strongly advise all to move to suricata and stop using snort.

                              With that out of the way, here's the rule updates:

                              In tab "Rules", under "Category" select:
                              (–- means blank table at time of writing)

                              Auto-Flowbit rules > all except:
                              8478 FILE-IDENTIFY Microsoft Office Publisher file magic detected
                              23714 FILE-IDENTIFY Microsoft Office Publisher file magic detected

                              DISABLED:2

                              emerging-activex > all

                              DISABLED:0

                              emerging-attack_responses > all

                              DISABLED:0

                              DO NOT USE! > emerging-botcc > use pfblocker with: http://rules.emergingthreats.net/fwrules/emerging-Block-IPs.txt <<< CARE!!! a lot of IRC servers are listed here. Try it first, an IRC network that you need to work, doesn't, then remove it.

                              emerging-chat > all except:
                              2010784 ET CHAT Facebook Chat (send message)
                              2010785 ET CHAT Facebook Chat (buddy list)
                              2010786 ET CHAT Facebook Chat (settings)
                              2010819 ET CHAT Facebook Chat using XMPP
                              2002327 ET CHAT Google Talk (Jabber) Client Login
                              2002334 ET CHAT Google IM traffic Jabber client sign-on
                              2001241 ET CHAT MSN file transfer request
                              2001242 ET CHAT MSN file transfer accept
                              2001243 ET CHAT MSN file transfer reject
                              2001682 ET CHAT MSN IM Poll via HTTP
                              2002192 ET CHAT MSN status change
                              2008289 ET CHAT Possible MSN Messenger File Transfer
                              2009375 ET CHAT General MSN Chat Activity
                              2009376 ET CHAT MSN User-Agent Activity
                              2001595 ET CHAT Skype VOIP Checking Version (Startup)
                              2002157 ET CHAT Skype User-Agent detected
                              2003022 ET CHAT Skype Bootstrap Node (udp)
                              2000355 ET CHAT IRC authorization message [stops IRC from working]
                              2002024 ET CHAT IRC NICK command [stops IRC from working]
                              2002028 ET CHAT IRC PONG response [stops IRC from working]
                              2002025 ET CHAT IRC JOIN command [stops IRC from working]
                              2002026 ET CHAT IRC PRIVMSG command [stops IRC from working]

                              DISABLED:22

                              DO NOT USE! > emerging-ciarmy > use pfblocker with: http://www.ciarmy.com/list/ci-badguys.txt

                              DO NOT USE! > emerging-compromised > use pfblocker with: http://rules.emergingthreats.net/blockrules/compromised-ips.txt

                              emerging-current_events > all
                              2014527 ET CURRENT_EVENTS Exploit Kit Delivering Compressed Flash Content to Client <<< Tired of manually cleaning up after this one.

                              DISABLED:1

                              emerging-deleted > –-

                              emerging-dns > all except:
                              2008446 ET DNS Excessive DNS Responses with 1 or more RR's (100+ in 10 seconds) - possible Cache Poisoning Attempt
                              2008470 ET DNS Excessive NXDOMAIN responses - Possible DNS Backscatter or Domain Generation Algorithm Lookups
                              2001117 ET DNS Standard query response, Name Error

                              DISABLED:3

                              emerging-dos > all

                              DISABLED:0

                              DO NOT USE! > emerging-drop > use pfblocker with: http://list.iblocklist.com/?list=sh_drop&fileformat=p2p

                              DO NOT USE! > emerging-dshield > use pfblocker with: http://rules.emergingthreats.net/blockrules/compromised-ips.txt

                              emerging-exploit > all except:
                              2001058 ET EXPLOIT libpng tRNS overflow attempt
                              2002913 ET EXPLOIT VNC Client response
                              2002914 ET EXPLOIT VNC Server VNC Auth Offer
                              2002919 ET EXPLOIT VNC Good Authentication Reply
                              2002915 ET EXPLOIT VNC Authentication Reply
                              2002758 ET EXPLOIT WMF Escape Record Exploit - Version 1
                              2002742 ET EXPLOIT WMF Escape Record Exploit - Version 3

                              DISABLED:7

                              emerging-ftp > all
                              2010731 ET FTP FTP CWD command attempt without login

                              DISABLED:1

                              emerging-games > all

                              DISABLED:0

                              emerging-icmp > ---

                              emerging-icmp_info > ---

                              emerging-imap > ---

                              emerging-inappropriate > all except:
                              2002925 ET INAPPROPRIATE Google Image Search, Safe Mode Off
                              2001608 ET INAPPROPRIATE Likely Porn

                              DISABLED:2

                              emerging-info > all except:
                              2014472 ET INFO JAVA - Java Archive Download
                              2014473 ET INFO JAVA - Java Archive Download By Vulnerable Client
                              2014819 ET INFO Packed Executable Download
                              2015016 ET INFO FTP STOR to External Network
                              2015561 ET INFO PDF Using CCITTFax Filter
                              2015744 ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)
                              2016360 ET INFO JAVA - ClassID
                              2016361 ET INFO JAVA - ClassID
                              2016404 ET INFO MPEG Download Over HTTP (1)
                              2015674 ET INFO 3XX redirect to data URL
                              2016847 ET INFO Possible Chrome Plugin install
                              2017669 ET INFO Zip File

                              DISABLED:12

                              emerging-malware > all except:
                              2008438 ET MALWARE Possible Windows executable sent when remote host claims to send a Text File
                              2012228 ET MALWARE Suspicious Russian Content-Language Ru Which May Be Malware Related
                              2012229 ET MALWARE Suspicious Chinese Content-Language zh-cn Which May be Malware Related

                              DISABLED:3

                              emerging-misc > all

                              DISABLED:0

                              emerging-mobile_malware > all except:
                              2012251 ET MOBILE_MALWARE Google Android Device HTTP Request
                              2012848 ET MOBILE_MALWARE Possible Mobile Malware POST of IMEI International Mobile Equipment Identity in URI

                              DISABLED:2

                              emerging-netbios > all

                              DISABLED:0

                              emerging-p2p > all except:
                              2000369 ET P2P BitTorrent Announce
                              2007727 ET P2P possible torrent download
                              2008581 ET P2P BitTorrent DHT ping request
                              2008583 ET P2P BitTorrent DHT nodes reply
                              2008585 ET P2P BitTorrent DHT announce_peers request
                              2010144 ET P2P Vuze BT UDP Connection (5)
                              2011699 ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x)
                              2016662 ET P2P Possible Bittorrent Activity - Multiple DNS Queries For tracker hosts
                              2014734 ET P2P BitTorrent - Torrent File Downloaded
                              2003317 ET P2P Edonkey Search Request (any type file)
                              2009971 ET P2P eMule KAD Network Hello Request (2)
                              2013869 ET P2P Torrent Client User-Agent (Solid Core/0.82)

                              DISABLED:12

                              emerging-policy > all except:
                              2000419 ET POLICY PE EXE or DLL Windows file download
                              2000428 ET POLICY ZIP file download
                              2001115 ET POLICY MSI (microsoft installer file) download
                              2003595 ET POLICY exe download via HTTP - Informational
                              2001898 ET POLICY eBay Bid Placed
                              2001907 ET POLICY eBay Placing Item for sale
                              2001908 ET POLICY eBay View Item
                              2001909 ET POLICY eBay Watch This Item
                              2003303 ET POLICY FTP Login Attempt (non-anonymous)
                              2003410 ET POLICY FTP Login Successful
                              2003121 ET POLICY docs.google.com Activity
                              2003597 ET POLICY Google Calendar in Use
                              2002801 ET POLICY Google Desktop User-Agent Detected
                              2002838 ET POLICY Google Search Appliance browsing the Internet
                              2000035 ET POLICY Hotmail Inbox Access
                              2000036 ET POLICY Hotmail Message Access
                              2000037 ET POLICY Hotmail Compose Message Access
                              2000038 ET POLICY Hotmail Compose Message Submit
                              2000039 ET POLICY Hotmail Compose Message Submit Data
                              2008238 ET POLICY Hotmail Inbox Access
                              2008239 ET POLICY Hotmail Message Access
                              2008240 ET POLICY Hotmail Compose Message Access
                              2008242 ET POLICY Hotmail Access Full Mode
                              2006408 ET POLICY HTTP Request on Unusual Port Possibly Hostile
                              2006409 ET POLICY HTTP POST on unusual Port Possibly Hostile
                              2002330 ET POLICY Google Talk TLS Client Traffic
                              2002332 ET POLICY Google IM traffic Windows client user sign-on
                              2002333 ET POLICY Google IM traffic friend invited
                              2002878 ET POLICY iTunes User Agent
                              2002722 ET POLICY MP3 File Transfer Outbound
                              2002723 ET POLICY MP3 File Transfer Inbound
                              2001114 ET POLICY Mozilla XPI install files download
                              2001973 ET POLICY SSH Server Banner Detected on Expected Port
                              2001974 ET POLICY SSH Client Banner Detected on Expected Port
                              2001975 ET POLICY SSHv2 Server KEX Detected on Expected Port
                              2001976 ET POLICY SSHv2 Client KEX Detected on Expected Port
                              2001977 ET POLICY SSHv2 Client New Keys detected on Expected Port
                              2001978 ET POLICY SSH session in progress on Expected Port
                              2001979 ET POLICY SSH Server Banner Detected on Unusual Port
                              2001980 ET POLICY SSH Client Banner Detected on Unusual Port
                              2001981 ET POLICY SSHv2 Server KEX Detected on Unusual Port
                              2001982 ET POLICY SSHv2 Client KEX Detected on Unusual Port
                              2001983 ET POLICY SSHv2 Client New Keys Detected on Unusual Port
                              2001984 ET POLICY SSH session in progress on Unusual Port
                              2009001 ET POLICY Login Credentials Possibly Passed in URI
                              2009004 ET POLICY Login Credentials Possibly Passed in POST Data
                              2003214 ET POLICY Pingdom.com Monitoring detected
                              2003215 ET POLICY Pingdom.com Monitoring Node Active
                              2001669 ET POLICY Proxy GET Request
                              2001670 ET POLICY Proxy HEAD Request
                              2001674 ET POLICY Proxy POST Request
                              2001675 ET POLICY Proxy CONNECT Request
                              2002922 ET POLICY VNC Authentication Successful
                              2002920 ET POLICY VNC Authentication Failure
                              2003026 ET POLICY Known SSL traffic on port 443 being excluded from SSL Alerts
                              2004598 ET POLICY Known SSL traffic on port 9001 (aol) being excluded from SSL Alerts
                              2003027 ET POLICY Known SSL traffic on port 8000 being excluded from SSL Alerts
                              2003028 ET POLICY Known SSL traffic on port 8080 being excluded from SSL Alerts
                              2003029 ET POLICY Known SSL traffic on port 8200 being excluded from SSL Alerts
                              2003030 ET POLICY Known SSL traffic on port 8443 being excluded from SSL Alerts
                              2003033 ET POLICY Known SSL traffic on port 2967 (Symantec) being excluded from SSL Alerts
                              2003035 ET POLICY Known SSL traffic on port 3128 (proxy) being excluded from SSL Alerts
                              2003036 ET POLICY Known SSL traffic on port 8080 (proxy) being excluded from SSL Alerts
                              2003037 ET POLICY Known SSL traffic on port 8292 (Bloomberg) being excluded from SSL Alerts
                              2003038 ET POLICY Known SSL traffic on port 8294 (Bloomberg) being excluded from SSL Alerts
                              2003934 ET POLICY Known SSL traffic on port 1521 (Oracle) being excluded from SSL Alerts
                              2008543 ET POLICY Known SSL traffic on port 995 (imaps) being excluded from SSL Alerts
                              2003002 ET POLICY TLS/SSL Client Hello on Unusual Port TLS
                              2003003 ET POLICY TLS/SSL Client Hello on Unusual Port SSLv3
                              2003004 ET POLICY TLS/SSL Client Hello on Unusual Port Case 2
                              2003005 ET POLICY TLS/SSL Client Hello on Unusual Port SSLv3
                              2003006 ET POLICY TLS/SSL Client Key Exchange on Unusual Port
                              2003007 ET POLICY TLS/SSL Client Key Exchange on Unusual Port SSLv3
                              2003008 ET POLICY TLS/SSL Client Cipher Set on Unusual Port
                              2003009 ET POLICY TLS/SSL Client Cipher Set on Unusual Port SSLv3
                              2003010 ET POLICY TLS/SSL Server Hello on Unusual Port
                              2003011 ET POLICY TLS/SSL Server Hello on Unusual Port SSLv3
                              2003012 ET POLICY TLS/SSL Server Certificate Exchange on Unusual Port
                              2003013 ET POLICY TLS/SSL Server Certificate Exchange on Unusual Port SSLv3
                              2003014 ET POLICY TLS/SSL Server Key Exchange on Unusual Port
                              2003015 ET POLICY TLS/SSL Server Key Exchange on Unusual Port SSLv3
                              2003018 ET POLICY TLS/SSL Server Cipher Set on Unusual Port
                              2003019 ET POLICY TLS/SSL Server Cipher Set on Unusual Port SSLv3
                              2003020 ET POLICY TLS/SSL Encrypted Application Data on Unusual Port
                              2003021 ET POLICY TLS/SSL Encrypted Application Data on Unusual Port SSLv3
                              2007671 ET POLICY Binary Download Smaller than 1 MB Likely Hostile
                              2001449 ET POLICY Proxy Connection detected
                              2002822 ET POLICY Wget User Agent
                              2002823 ET POLICY POSSIBLE Web Crawl using Wget
                              2002824 ET POLICY CURL User Agent
                              2002934 ET POLICY libwww-perl User Agent
                              2002828 ET POLICY Googlebot User Agent
                              2002829 ET POLICY Googlebot Crawl
                              2002830 ET POLICY Msnbot User Agent
                              2002831 ET POLICY Msnbot Crawl
                              2002832 ET POLICY Yahoo Crawler User Agent
                              2002833 ET POLICY Yahoo Crawler Crawl
                              2010228 ET POLICY Suspicious Microsoft Windows NT 6.1 User-Agent Detected
                              2002948 ET POLICY External Windows Update in Progress
                              2002949 ET POLICY Windows Update in Progress
                              2001402 ET POLICY ZIPPED DOC in transit
                              2001403 ET POLICY ZIPPED XLS in transit
                              2001404 ET POLICY ZIPPED EXE in transit
                              2001405 ET POLICY ZIPPED PPT in transit
                              2011874 ET POLICY NSPlayer User-Agent Windows Media Player streaming detected
                              2012647 ET POLICY Dropbox.com Offsite File Backup in Use
                              2012648 ET POLICY Dropbox Client Broadcasting
                              2013028 ET POLICY curl User-Agent Outbound
                              2013030 ET POLICY libwww-perl User-Agent
                              2013031 ET POLICY Python-urllib/ Suspicious User Agent
                              2013290 ET POLICY MOBILE Apple device leaking UDID from SpringBoard via GET
                              2013414 ET POLICY Executable served from Amazon S3
                              2013458 ET POLICY Facebook Like Button Clicked (1)
                              2013459 ET POLICY Facebook Like Button Clicked (2)
                              2013503 ET POLICY OS X Software Update Request Outbound
                              2013504 ET POLICY GNU/Linux APT User-Agent Outbound likely related to package management
                              2013505 ET POLICY GNU/Linux YUM User-Agent Outbound likely related to package management
                              2014297 ET POLICY Vulnerable Java Version 1.7.x Detected
                              2014313 ET POLICY Executable Download From DropBox
                              2014919 ET POLICY Microsoft Online Storage Client Hello TLSv1 Possible SkyDrive (1)
                              2014920 ET POLICY Microsoft Online Storage Client Hello TLSv1 Possible SkyDrive (2)
                              2017015 ET POLICY DropBox User Content Access over SSL
                              2001375 ET POLICY Credit Card Number Detected in Clear (16 digit spaced)
                              2001376 ET POLICY Credit Card Number Detected in Clear (16 digit dashed)
                              2001377 ET POLICY Credit Card Number Detected in Clear (16 digit)
                              2001378 ET POLICY Credit Card Number Detected in Clear (15 digit)
                              2001379 ET POLICY Credit Card Number Detected in Clear (15 digit spaced)
                              2001380 ET POLICY Credit Card Number Detected in Clear (15 digit dashed)
                              2001381 ET POLICY Credit Card Number Detected in Clear (14 digit)
                              2001382 ET POLICY Credit Card Number Detected in Clear (14 digit spaced)
                              2001383 ET POLICY Credit Card Number Detected in Clear (14 digit dashed)
                              2009293 ET POLICY Credit Card Number Detected in Clear (15 digit spaced 2)
                              2009294 ET POLICY Credit Card Number Detected in Clear (15 digit dashed 2)
                              2001328 ET POLICY SSN Detected in Clear Text (dashed)
                              2001384 ET POLICY SSN Detected in Clear Text (spaced)
                              2007971 ET POLICY SSN Detected in Clear Text (SSN )
                              2007972 ET POLICY SSN Detected in Clear Text (SSN# )
                              2011854 ET POLICY Java JAR file download
                              2002749 ET POLICY Unallocated IP Space Traffic - Bogon Nets  <<<<<<<< handled by ticking block bogon networks in interface settings
                              2002752 ET POLICY Reserved Internal IP Traffic    <<<<<<<<<<<<< handled by ticking block private networks in interface settings
                              2000418 ET POLICY Executable and linking format (ELF) file download
                              2002658 ET POLICY EIN in the clear (US-IRS Employer ID Number)
                              2016877 ET POLICY Unsupported/Fake FireFox Version 2.
                              2013296 ET POLICY Free SSL Certificate Provider (StartCom Class 1 Primary Intermediate Server CA)
                              2010815 ET POLICY Incoming Connection Attempt From Amazon EC2 Cloud
                              2013255 ET POLICY Majestic12 User-Agent Request Inbound
                              2014726 ET POLICY Outdated Windows Flash Version IE
                              2012911 ET POLICY URL Contains password Parameter
                              2011085 ET POLICY HTTP Redirect to IPv4 Address
                              2009303 ET POLICY MediaFire file download service access
                              2000356 ET POLICY IRC connection [stops IRC from working, misses a lot of real IRC connections]
                              2012141 ET POLICY Protocol 41 IPv6 encapsulation potential 6in4 IPv6 tunnel active <<< Breaks IPv6 Tunnels

                              DISABLED:152

                              emerging-pop3 > –-

                              DO NOT USE! > emerging-rbn-malvertisers > use pfblocker with: !!!LIST REMOVED!!! LOOKING FOR SUGGESTIONS

                              DO NOT USE! > emerging-rbn > use pfblocker with: !!!LIST REMOVED!!! LOOKING FOR SUGGESTIONS

                              emerging-rpc > ---

                              emerging-scada > all

                              DISABLED:0

                              emerging-scan > all except
                              2002992 ET SCAN Rapid POP3 Connections - Possible Brute Force Attack
                              2002993 ET SCAN Rapid POP3S Connections - Possible Brute Force Attack
                              2002994 ET SCAN Rapid IMAP Connections - Possible Brute Force Attack
                              2002995 ET SCAN Rapid IMAPS Connections - Possible Brute Force Attack
                              2011367 ET SCAN TCP Traffic (ET SCAN Malformed Packet SYN FIN)
                              2000538 ET SCAN NMAP -sA (1) <<< FP when accessing certain sites over IPv6

                              DISABLED:6

                              emerging-shellcode > all except
                              2011803 ET SHELLCODE Possible TCP x86 JMP to CALL Shellcode Detected
                              2012252 ET SHELLCODE Common 0a0a0a0a Heap Spray String
                              2012257 ET SHELLCODE Common %0c%0c%0c%0c Heap Spray String
                              2012510 ET SHELLCODE UTF-8/16 Encoded Shellcode
                              2013222 ET SHELLCODE Excessive Use of HeapLib Objects Likely Malicious Heap Spray Attempt
                              2013267 ET SHELLCODE Hex Obfuscated JavaScript Heap Spray 0a0a0a0a
                              2012256 ET SHELLCODE Common 0c0c0c0c Heap Spray String

                              DISABLED:7

                              emerging-smtp > all

                              DISABLED:0

                              emerging-snmp > all

                              DISABLED:0

                              emerging-sql > all

                              DISABLED:0

                              emerging-telnet > all

                              DISABLED:0

                              emerging-tftp > all

                              DISABLED:0

                              DO NOT USE! > emerging-tor > use pfblocker with http://list.iblocklist.com/?list=tor&fileformat=p2p

                              emerging-trojan > all except:
                              2009205 ET TROJAN Possible Downadup/Conficker-C P2P encrypted traffic UDP Ping Packet (bit value 1)
                              2009206 ET TROJAN Possible Downadup/Conficker-C P2P encrypted traffic UDP Ping Packet (bit value 4)
                              2009207 ET TROJAN Possible Downadup/Conficker-C P2P encrypted traffic UDP Ping Packet (bit value 5)
                              2009208 ET TROJAN Possible Downadup/Conficker-C P2P encrypted traffic UDP Ping Packet (bit value 16)
                              2001046 ET TROJAN UPX compressed file download possible malware
                              2016950 ET TROJAN Possible Win32/Hupigon ip.txt with a Non-Mozilla UA

                              DISABLED:6

                              emerging-user_agents > all except:
                              2010697 ET USER_AGENTS Suspicious User-Agent Beginning with digits - Likely spyware/trojan

                              DISABLED:1

                              emerging-voip > all

                              DISABLED:0

                              emerging-web_client > all except
                              2011347 ET WEB_CLIENT Possible String.FromCharCode Javascript Obfuscation Attempt
                              2011507 ET WEB_CLIENT PDF With Embedded File
                              2010518 ET WEB_CLIENT Possible HTTP 404 XSS Attempt (External Source)
                              2012056 ET WEB_CLIENT Flash Player Flash6.ocx AllowScriptAccess Denial of Service
                              2012075 ET WEB_CLIENT Possible Internet Explorer CSS Parser Remote Code Execution Attempt
                              2012119 ET WEB_CLIENT Possible Hex Obfuscation Usage On Webpage
                              2012205 ET WEB_CLIENT Possible Malicious String.fromCharCode with charCodeAt String
                              2012266 ET WEB_CLIENT Hex Obfuscation of unescape % Encoding
                              2012272 ET WEB_CLIENT Hex Obfuscation of eval % Encoding
                              2012398 ET WEB_CLIENT Hex Obfuscation of replace Javascript Function % Encoding
                              2010527 ET WEB_CLIENT Possible HTTP 503 XSS Attempt (External Source)
                              2010931 ET WEB_CLIENT Possible IE iepeers.dll Use-after-free Code Execution Attempt
                              2011764 ET WEB_CLIENT Possible Microsoft Internet Explorer mshtml.dll Timer ID Memory Pointer Information Disclosure Attempt

                              DISABLED:13

                              emerging-web_server > all except
                              2003099 ET WEB_SERVER Poison Null Byte
                              2015526 ET WEB_SERVER Fake Googlebot UA 1 Inbound
                              2015527 ET WEB_SERVER Fake Googlebot UA 2 Inbound
                              2016676 ET WEB_SERVER SQL Errors in HTTP 200 Response (ORA-)
                              2016672 ET WEB_SERVER SQL Errors in HTTP 200 Response (error in your SQL syntax)
                              2009151 ET WEB_SERVER PHP Generic Remote File Include Attempt (HTTP)

                              DISABLED:5

                              emerging-web_specific_apps > all except:
                              2010890 ET WEB_SPECIFIC_APPS phpBB3 registration (Step1 GET)
                              2010891 ET WEB_SPECIFIC_APPS phpBB3 registration (Step2 POST)
                              2010892 ET WEB_SPECIFIC_APPS phpBB3 registration (Step3 GET)
                              2010893 ET WEB_SPECIFIC_APPS phpBB3 registration (Step4 POST)
                              2003508 ET WEB_SPECIFIC_APPS Wordpress wp-login.php redirect_to credentials stealing attempt

                              DISABLED:5

                              emerging-worm > all

                              DISABLED:0

                              GPLv2 community rules > all except
                              254 DNS SPOOF query response with TTL of 1 min. and no authority
                              384 PROTOCOL-ICMP PING
                              385 PROTOCOL-ICMP traceroute
                              399 PROTOCOL-ICMP Destination Unreachable Host Unreachable
                              402 PROTOCOL-ICMP Destination Unreachable Port Unreachable
                              408 PROTOCOL-ICMP Echo Reply
                              540 POLICY-SOCIAL Microsoft MSN message
                              648 INDICATOR-SHELLCODE x86 NOOP
                              649 INDICATOR-SHELLCODE x86 setgid 0
                              1200 INDICATOR-COMPROMISE Invalid URL
                              1201 INDICATOR-COMPROMISE 403 Forbidden
                              1292 INDICATOR-COMPROMISE directory listing
                              1390 INDICATOR-SHELLCODE x86 inc ebx NOOP
                              1394 INDICATOR-SHELLCODE x86 inc ecx NOOP
                              1437 FILE-IDENTIFY Microsoft Windows Media download detected
                              1841 FILE-OTHER Oracle Javascript URL host spoofing attempt
                              1846 POLICY-MULTIMEDIA vncviewer Java applet download attempt
                              1852 SERVER-WEBAPP robots.txt access
                              1986 POLICY-SOCIAL Microsoft MSN outbound file transfer request
                              1988 POLICY-SOCIAL Microsoft MSN outbound file transfer accept
                              1989 POLICY-SOCIAL Microsoft MSN outbound file transfer rejected
                              1990 POLICY-SOCIAL Microsoft MSN user search
                              1991 POLICY-SOCIAL Microsoft MSN login attempt
                              2180 PUA-P2P BitTorrent announce request
                              2181 PUA-P2P BitTorrent transfer
                              2707 FILE-IMAGE JPEG parser multipacket heap overflow
                              3463 SERVER-WEBAPP awstats access
                              25518 OS-OTHER Apple iPod User-Agent detected
                              25519 OS-OTHER Apple iPad User-Agent detected
                              25520 OS-OTHER Apple iPhone User-Agent detected
                              25521 OS-OTHER Android User-Agent detected
                              25522 OS-OTHER Nokia User-Agent detected
                              25523 OS-OTHER Samsung User-Agent detected
                              25524 OS-OTHER Kindle User-Agent detected
                              25525 OS-OTHER Nintendo User-Agent detected
                              2417 PROTOCOL-FTP format string attempt
                              1377 PROTOCOL-FTP wu-ftp bad file completion attempt
                              1378 PROTOCOL-FTP wu-ftp bad file completion attempt

                              DISABLED:38

                              IPS Policy - Security > all except
                              19436 BROWSER-IE Microsoft Internet Explorer CStyleSheetRule array memory corruption attempt
                              18196 BROWSER-IE Microsoft Internet Explorer CSS importer use-after-free attempt
                              16482 BROWSER-IE Microsoft Internet Explorer userdata behavior memory corruption attempt
                              25459 FILE-PDF Adobe Reader incomplete JP2K image geometry - potentially malicious
                              16320 WEB-CLIENT Adobe PNG empty sPLT exploit attempt
                              15975 WEB-CLIENT OpenOffice TIFF file in little endian format parsing integer overflow attempt
                              15976 WEB-CLIENT OpenOffice TIFF file in big endian format parsing integer overflow attempt
                              13360 APP-DETECT failed FTP login attempt
                              23098 FILE-MULTIMEDIA Adobe Flash Player MP4 sequence parameter set parsing overflow attempt
                              14772 WEB-CLIENT libpng malformed chunk denial of service attempt
                              29466 FILE-OTHER Corel PDF fusion XPS stack buffer overflow attempt
                              27948 FILE-OFFICE Microsoft Office Excel rtMergeCells heap overflow attempt
                              17153 BROWSER-FIREFOX Mozilla Firefox plugin parameter array dangling pointer exploit attempt - 1 <<< Affects systems running the Firefox ActiveX control (firefox 3.6.7). No longer needed, delete upstream.
                              17154 BROWSER-FIREFOX Mozilla Firefox plugin parameter array dangling pointer exploit attempt - 2 <<< Affects systems running the Firefox ActiveX control (firefox 3.6.7). No longer needed, delete upstream.
                              19713 BROWSER-FIREFOX Mozilla Array.reduceRight integer overflow <<< Affects Firefox v1.0-4.0.1. No longer needed, delete upstream.
                              19714 BROWSER-FIREFOX Mozilla Array.reduceRight integer overflow <<< Affects Firefox v1.0-4.0.1. No longer needed, delete upstream.
                              19321 BROWSER-FIREFOX Mozilla Products nsCSSValue Array Index Integer Overflow  <<< Affects Firefox v3.5.1-3.6.6.  No longer needed, delete upstream.
                              19292 BROWSER-FIREFOX Mozilla Firefox appendChild use-after-free attempt <<< Affects Firefox v3.5-3.6.9.  No longer needed, delete upstream.
                              19078 BROWSER-FIREFOX Mozilla Firefox html tag attributes memory corruption <<< Affects Firefox v3.5-3.6.9.  No longer needed, delete upstream.
                              19077 BROWSER-FIREFOX Mozilla Firefox appendChild use-after-free attempt <<< Affects Firefox v3.5-3.6.9.  No longer needed, delete upstream.
                              19076 BROWSER-FIREFOX Mozilla Firefox appendChild use-after-free attempt <<< Affects Firefox v3.5-3.6.9.  No longer needed, delete upstream.
                              17804 BROWSER-FIREFOX Mozilla Firefox html tag attributes memory corruption <<< Affects Firefox v3.5-3.6.9.  No longer needed, delete upstream.
                              25233 BROWSER-FIREFOX appendChild multiple parent nodes stack corruption attempt <<< Affects Firefox v1.0-3.6.9.  No longer needed, delete upstream.
                              25232 BROWSER-FIREFOX appendChild multiple parent nodes stack corruption attempt <<< Affects Firefox v1.0-3.6.9.  No longer needed, delete upstream.
                              25228 BROWSER-FIREFOX Mozilla Firefox iframe and xul element reload crash attempt <<< Affects Firefox v1.0-3.6.9.  No longer needed, delete upstream.
                              25227 BROWSER-FIREFOX Mozilla Firefox iframe and xul element reload crash attempt <<< Affects Firefox v1.0-3.6.9.  No longer needed, delete upstream.
                              24994 BROWSER-FIREFOX Mozilla Firefox onChannelRedirect method attempt <<< Affects Firefox v1.0-3.6.9.  No longer needed, delete upstream.
                              24188 BROWSER-FIREFOX Mozilla Array.reduceRight integer overflow <<< Affects Firefox v1.0-4.0.1.  No longer needed, delete upstream.
                              24187 BROWSER-FIREFOX Mozilla Array.reduceRight integer overflow <<< Affects Firefox v1.0-4.0.1.  No longer needed, delete upstream.
                              21363 BROWSER-FIREFOX Mozilla Firefox appendChild use-after-free attempt <<< Affects Firefox v3.5-3.6.9.  No longer needed, delete upstream.
                              20072 BROWSER-FIREFOX Mozilla Firefox nsTreeRange Use After Free attempt <<< Affects Firefox v1.0-3.6.9.  No longer needed, delete upstream.
                              16502 BROWSER-FIREFOX Mozilla Firefox WOFF font processing integer overflow attempt - CFF-based <<< Affects Firefox v3.6.  No longer needed, delete upstream.
                              16501 BROWSER-FIREFOX Mozilla Firefox WOFF font processing integer overflow attempt - TrueType <<< Affects Firefox v3.6.  No longer needed, delete upstream.
                              29503 BROWSER-FIREFOX Mozilla Products SVG text content element getCharNumAtPosition use after free attempt <<< Affects Firefox v1.0-5.0.  No longer needed, delete upstream.

                              DISABLED:34

                              preprocessor.rules > all except (first_column:second_column details)
                              119:2 HI_CLIENT_DOUBLE_DECODE
                              119:4 HI_CLIENT_BARE_BYTE
                              119:7 HI_CLIENT_IIS_UNICODE
                              119:14 HI_CLIENT_NON_RFC_CHAR
                              119:31 HI_CLIENT_UNKNOWN_METHOD
                              119:32 HI_CLIENT_SIMPLE_REQUEST
                              119:33 HI_CLIENT_UNESCAPED_SPACE_IN_URI <<< FPs all over the place. Especially fun when it bans a cdn's ip. That's when calls start coming in. Fun!
                              120:2 HI_SERVER_INVALID_STATCODE
                              120:3 HI_SERVER_NO_CONTLEN
                              120:4 HI_SERVER_UTF_NORM_FAIL
                              120:6 HI_SERVER_DECOMPR_FAILED
                              120:8 HI_CLISRV_MSG_SIZE_EXCEPTION
                              120:9 HI_SERVER_JS_OBFUSCATION_EXCD
                              120:10 HI_SERVER_JS_EXCESS_WS
                              122:1 PSNG_TCP_PORTSCAN
                              122:4 PSNG_TCP_DISTRIBUTED_PORTSCAN
                              122:5 PSNG_TCP_FILTERED_PORTSCAN <<< Fires up on our remote monitoring servers
                              122:17 PSNG_UDP_PORTSCAN
                              122:20 PSNG_UDP_DISTRIBUTED_PORTSCAN
                              124:3 SMTP_RESPONSE_OVERFLOW
                              124:10 SMTP_B64_DECODING_FAILED
                              124:11 SMTP_QP_DECODING_FAILED <<< FPs seen coming from normal email sources
                              125:1 FTPP_FTP_TELNET_CMD
                              125:2 FTPP_FTP_INVALID_CMD
                              125:7 FTPP_FTP_ENCRYPTED
                              125:9 FTPP_FTP_EVASIVE_TELNET_CMD
                              137:1 SSL_INVALID_CLIENT_HELLO
                              141:1 IMAP_UNKNOWN_CMD <<< pending upstream update
                              141:2 IMAP_UNKNOWN_RESP <<< pending upstream update
                              145:2 DNP3_DROPPED_FRAME
                              DISABLED>>>30

                              DO NOT USE! > sensitive-data.rules > NONE enabled

                              Suppression list:

                              #GLOBAL

                              gen_id 1

                              suppress gen_id 1, sig_id 536
                              suppress gen_id 1, sig_id 653
                              suppress gen_id 1, sig_id 2452
                              suppress gen_id 1, sig_id 11192
                              suppress gen_id 1, sig_id 15306
                              suppress gen_id 1, sig_id 16313
                              suppress gen_id 1, sig_id 17458
                              suppress gen_id 1, sig_id 20583
                              suppress gen_id 1, sig_id 2000334
                              suppress gen_id 1, sig_id 2008120
                              suppress gen_id 1, sig_id 2010516
                              suppress gen_id 1, sig_id 20122758
                              suppress gen_id 1, sig_id 2014518
                              suppress gen_id 1, sig_id 2014520
                              suppress gen_id 1, sig_id 2100366
                              suppress gen_id 1, sig_id 2100368
                              suppress gen_id 1, sig_id 2100651
                              suppress gen_id 1, sig_id 2101390
                              suppress gen_id 1, sig_id 2101424
                              suppress gen_id 1, sig_id 2102314
                              suppress gen_id 1, sig_id 2103134
                              suppress gen_id 1, sig_id 2500056
                              suppress gen_id 1, sig_id 100000230
                              suppress gen_id 3, sig_id 14772
                              #(IMAP) Unknown IMAP4 command
                              suppress gen_id 141, sig_id 1

                              pfBlocker extra lists:
                              TYPE LIST
                              txt http://www.spamhaus.org/drop/drop.txt
                              txt http://www.spamhaus.org/drop/edrop.txttxt http://www.spamhaus.org/drop/edrop.txt

                              1 Reply Last reply Reply Quote 0
                              • M
                                Mr. Jingles
                                last edited by

                                @jflsakfja:

                                This is the final rule post in this topic. Moving forward, the rules will be found in the suricata topic, which I'll create in a couple of days. I strongly advise all to move to suricata and stop using snort.

                                I am somewhat of a fan of your writing style ever since I discovered you and I speak the same secret agents stuff (update, btw, the yellow cat is in the bathroom, I repeat: rain is expected this summer :P )

                                ;D

                                Anyhow, I do appreciate very much what you are doing for us all, and I've followed most of what you've written here. I even like your rants  ;D

                                But:

                                It is not quite clear why you write the part in bold in the above quote. Yes, I've read 'snort-inline is dead' (whatever that means precisely  :-[ ), but Bmeeks writes above that he is not particularly advocating the one over the other right now (Snort/Suricata).

                                So, my dear ranting man who knows secret stuffs ( ;D ): could I persuade you to write a little bit more about why move to Suricata [b]right now?

                                Thank you,

                                Bye,

                                6 and a half billion people know that they are stupid, agressive, lower life forms.

                                1 Reply Last reply Reply Quote 0
                                • bmeeksB
                                  bmeeks
                                  last edited by

                                  @Hollander:

                                  But:

                                  It is not quite clear why you write the part in bold in the above quote. Yes, I've read 'snort-inline is dead' (whatever that means precisely  :-[ ), but Bmeeks writes above that he is not particularly advocating the one over the other right now (Snort/Suricata).

                                  So, my dear ranting man who knows secret stuffs ( ;D ): could I persuade you to write a little bit more about why move to Suricata [b]right now?

                                  Thank you,

                                  Bye,

                                  There is one area, for home users, where Snort currently still has an edge.  That edge is the affordability of "current" rules updates.  For Snort VRT rules, the cost is $29.99 USD per year.  For Emerging Threats, you have to go with ET-PRO and I think that is close to $500 USD per year.  Last time I checked, the ET folks did not have a home-user level of subscription.  Suricata will not process all of the Snort VRT rules because some of them have rule option keywords that only Snort recognizes and processes.  So for those folks who maintain a Snort VRT subscription but use the rules on Suricata, be aware that not all of the rules will actually inspect traffic.  Make sure you always look in the suricata.log file on the LOGS BROWSER tab to see what (if any) Snort rules Suricata choked on and skipped loading.

                                  Both vendors (Snort VRT and Emerging Threats) offer free rules updates, but those are 30-day old rules at best.  And for ET, I think some of their more advanced malware and Trojan rules may never make it into the free updates.

                                  Performance wise Snort and Suricata on pfSense are pretty evenly matched as of now.  And for use in a commercial environment where you are subscribing to either Snort VRT updates or Emerging Threats PRO updates, there is really no huge difference in protection.

                                  Bill

                                  1 Reply Last reply Reply Quote 0
                                  • BBcan177B
                                    BBcan177 Moderator
                                    last edited by

                                    "Emerging Threats" had a deal (if you call it a deal) for the ET PRO ruleset at ~$300 awhile back? Not sure if its still available.

                                    Jflsakfja's Blueprint for ET will be the same for either Snort or Suricata. Only issue is as Bill Stated that approx 600 Snort rules will not load in Suricata due to incompatible Regex issues. (Maybe these rules are already in the ET rulesets. I have never investigated that.)

                                    "Experience is something you don't get until just after you need it."

                                    Website: http://pfBlockerNG.com
                                    Twitter: @BBcan177  #pfBlockerNG
                                    Reddit: https://www.reddit.com/r/pfBlockerNG/new/

                                    1 Reply Last reply Reply Quote 0
                                    • ?
                                      A Former User
                                      last edited by

                                      A couple of months back I contacted the snort guys to remove some rules that were carved in stone back in pre-historic times, since the stone was chipped and some pieces of it went missing. A few thousand years later, the rules are still there, and that's why I decided to contact them. They completely ignored me, thinking (and if any of them passes by here, please confirm) that no matter how old a rule is, it's still worth it to spend the man hours to maintain it. That's one X for snort.

                                      You can see based on Bill's posts and mine around here that snort hasn't updated the imap commands yet. A critical part of an IDS for an "enterprise" use is therefore missing. That's two Xs for snort.

                                      snort-inline. No need to comment on this, other than R.I.P. snort-inline. Three Xs so far. At this very same point, snort was voted out of the game. We decided to give it another chance though.

                                      suricata comes along with its (far) superior stream and detection engine. Fanboysm aside, suricata was directly funded by the U.S. government for use as a toy in NSA's plans. As always, NEVER trust a single word, let alone a dot, of what I say. You can verify everything I say online. If it's good for them, it sure as hell it's good for me. That funding gave birth to a system that can max out a 10Gbps duplex connection, and have spare cycles to render a 3D video, at the same time. As it stands >right now<, comparing snort and suricata, suricata offers the ability to take advantage of our systems at their max potential, as they are right now. Since most people followed another member's advise (and basically ignored me), they used i3+ systems. Those systems went underutilized so far, since I have mentioned a (few) thousand times that snort doesn't actually act on the original packet, but a copy of the packet. To put it simply, the less than a handful of forum members that did decide to take my advice, saw snort running as fast on a p4 as an overclocked i7. Then again, who am I to know, right? Those systems (i3+) are completely ready for suricata's inline part, and will max out more bandwidth than you can afford. This is a HUGE advantage to suricata over snort.

                                      Suricata is like building a solid foundation for the future. Think of it like snort on steroids. Better log management, better capture facilities. When the inline part finally arrives in pfsense, that will transform pfsense into a multi million $ firewall system, capable of taking even the best of the best on (cough USISC, later assimilated into NETCOM).

                                      Speed wise, they both are pretty much the same as it stands right now.

                                      Putting both systems side by side, most users will not notice the difference, right now. A year later when the inline part arrives, those users will run around reconfiguring their systems from the ground up. The rest of us will just tick a checkbox and forget about it.

                                      For the upcoming suricata topic, I've decided to completely ignore the snort rules. Those rules that made it into ET (gpl for example) will be there, since they are technically part of ET, but the rest will be ignored. I believe it's best if we cut all ties with snort and let it die the horrendous death it deserves.

                                      WRT the money needed for a subscription, I would prefer it if anyone finds any of the two topics interesting, instead of contacting me for donations, they donate to ET by purchasing a subscription. Rule maintainers have to make a living you know.

                                      1 Reply Last reply Reply Quote 0
                                      • bmeeksB
                                        bmeeks
                                        last edited by

                                        @jflsakfja:

                                        A couple of months back I contacted the snort guys to remove some rules that were carved in stone back in pre-historic times, since the stone was chipped and some pieces of it went missing. A few thousand years later, the rules are still there, and that's why I decided to contact them. They completely ignored me, thinking (and if any of them passes by here, please confirm) that no matter how old a rule is, it's still worth it to spend the man hours to maintain it. That's one X for snort.

                                        You can see based on Bill's posts and mine around here that snort hasn't updated the imap commands yet. A critical part of an IDS for an "enterprise" use is therefore missing. That's two Xs for snort.

                                        snort-inline. No need to comment on this, other than R.I.P. snort-inline. Three Xs so far. At this very same point, snort was voted out of the game. We decided to give it another chance though.

                                        suricata comes along with its (far) superior stream and detection engine. Fanboysm aside, suricata was directly funded by the U.S. government for use as a toy in NSA's plans. As always, NEVER trust a single word, let alone a dot, of what I say. You can verify everything I say online. If it's good for them, it sure as hell it's good for me. That funding gave birth to a system that can max out a 10Gbps duplex connection, and have spare cycles to render a 3D video, at the same time. As it stands >right now<, comparing snort and suricata, suricata offers the ability to take advantage of our systems at their max potential, as they are right now. Since most people followed another member's advise (and basically ignored me), they used i3+ systems. Those systems went underutilized so far, since I have mentioned a (few) thousand times that snort doesn't actually act on the original packet, but a copy of the packet. To put it simply, the less than a handful of forum members that did decide to take my advice, saw snort running as fast on a p4 as an overclocked i7. Then again, who am I to know, right? Those systems (i3+) are completely ready for suricata's inline part, and will max out more bandwidth than you can afford. This is a HUGE advantage to suricata over snort.

                                        Suricata is like building a solid foundation for the future. Think of it like snort on steroids. Better log management, better capture facilities. When the inline part finally arrives in pfsense, that will transform pfsense into a multi million $ firewall system, capable of taking even the best of the best on (cough USISC, later assimilated into NETCOM).

                                        Speed wise, they both are pretty much the same as it stands right now.

                                        Putting both systems side by side, most users will not notice the difference, right now. A year later when the inline part arrives, those users will run around reconfiguring their systems from the ground up. The rest of us will just tick a checkbox and forget about it.

                                        For the upcoming suricata topic, I've decided to completely ignore the snort rules. Those rules that made it into ET (gpl for example) will be there, since they are technically part of ET, but the rest will be ignored. I believe it's best if we cut all ties with snort and let it die the horrendous death it deserves.

                                        WRT the money needed for a subscription, I would prefer it if anyone finds any of the two topics interesting, instead of contacting me for donations, they donate to ET by purchasing a subscription. Rule maintainers have to make a living you know.

                                        Very well said.  I would like to see the Emerging Threats guys offer a slightly more affordable subscription package for home users.  $300-$500 USD bruises your wallet quite a bit more than $29.99 USD.  For a commercial entity, it's a complete no-brainer.  For home enthusiasts, it might be harder to get approval from the better half for $500… ;)...after all, that could buy another set of curtains or maybe that dress she has been looking at... ;D.

                                        Bill

                                        1 Reply Last reply Reply Quote 0
                                        • ?
                                          A Former User
                                          last edited by

                                          @bmeeks:

                                          Very well said.  I would like to see the Emerging Threats guys offer a slightly more affordable subscription package for home users.  $300-$500 USD bruises your wallet quite a bit more than $29.99 USD.  For a commercial entity, it's a complete no-brainer.  For home enthusiasts, it might be harder to get approval from the better half for $500… ;)...after all, that could buy another set of curtains or maybe that dress she has been looking at... ;D.

                                          Bill

                                          Even for a commercial entity, $300 here, $300 there, quickly adds up to bills waiting to be paid next year and continues until the business goes bust.

                                          What I would be more that willing to pay? $50/year/pc. Everybody is happy. A home user is unlikely to install the rules on more than 1 pc, so the cost is kept low. An enterprise is not likely to install the rules on more than a dozen PCs, again cost is proportionate to the stuff you get out of them. And the best part is rule maintainers gets payed as well, from everybody.

                                          Since this topic has evolved into a "security" "experts" (not meaning to offend anyone here, it's directed at the individuals charging a few millions a year to provide network "security", yet still connect a scada system on the internet), why not move it up a notch and ridicule the MBAs as well, with a short lesson on how to build a solid successful business.

                                          Lets say you are selling a blank box. You start your company saying "hey, if I sell even 1 of them for a million dollars, I'd be a millionaire!". So you set the initial price for a blank box for 1 million $. You set up a factory to produce them, hire workers, build your new store, and wait. Days, months, years go by, and you are sitting at your new store, waiting for someone to come in and sell them that box to be a millionaire. 20 years later, after racking up a 60 million $ total bill (electricity,workers, etc.) a box collector comes in to your store. He is totally amazed at the quality and design of your box, and is willing to buy one right now. Your reply is "what good is 1 million when I have to pay 60?" and reluctantly sell a box. 5 years later, the business goes bankrupt.

                                          Now let's examine the example of someone trained by me personally. He knows the secret to a successful business is repeated business. He sets up a factory, and hires a single worker, automating most of the process of manufacturing a box. He sets up the new store, with samples of the new boxes. His secret is his price. He charges $1 for each new box, while everybody else charges $2. His total expenses to manufacture that box amount up to 50% of its price (cardboard,electricity,worker's salary split over the amount of boxes he can make in a shift, etc etc). He earns a respectable 50% on each box sold. A store owner passes by the new store and sees the prices and falls in love with them. He storms into the shop, already signing a check for a 100,000 pieces order. He is also willing to sign a contract for monthly delivery of boxes to his store. At his next golf game, he can't stop talking to his buddies about the extremely low priced boxes he bought. One of those buddies is a shoe making business owner. He walks into the new store the very next day, with a 200,000 pieces contract waiting to be signed. Everyone that passes by the store is stunned by the price. Their reaction is "ZOMG!!!111oneelevenhundredandelevenWTF!?!? THESE BOXES ARE HALF THE PRICE OF ALL OTHER BOXES". A year later the business has grown so much, it now employees 20 guys in the factory, and has opened up a dozen new stores. The business owner is also a millionaire, and has set up the foundation for the future.

                                          Those 2 examples come directly from stuff I've seen in my life, and although they seem off topic for most people, are actually spot on topic.

                                          What is the operational expense for a PC downloading the ET rules? If I say $500, I'd be willingly lying out of my teeth. I'm sorry guys, but I cannot do that. The operational expense for a single PC downloading the rules is not more than $10.  What does it take to keep those rules updated? I'm sure an out of job developer would be more than willing to spend a few hours a week maintaining the rules, for $500 a month.

                                          Making a profit FROM A SINGLE PC means charging $520/subscription (for $10 profit per subscription)

                                          Spreading the profit onto a thousand PCs, means charging $20.50 (for $10 profit per subscription).

                                          See where I'm getting at? You could even charge $50 and people would think "it's a f***ing steal!", yet you would be making 39.50/subscription. Just scale up from there and build a successful business on repeated business.

                                          1 Reply Last reply Reply Quote 0
                                          • M
                                            Mr. Jingles
                                            last edited by

                                            @jflsakfja:

                                            why not move it up a notch and ridicule the MBAs as well, with a short lesson on how to build a solid successful business.

                                            Finally something I can say something about with complete backing of my education (I hold quite some degrees in this very area)  ;D ;D ;D

                                            Not all 'MBA's' are the same: unfortunately around 95% of them are. And are exactly what you describe. This in itself has no longer anything to do with education, and as such I'd like to quote one of my favourite quotes:

                                            Hyperinflation is not restricted to monetary events

                                            With which I am referring to the current education scam, that is hitting the youngsters hard. As such, a simple google will lead you to many articles (even from trustworthy sites) about the insane college tuition bubbles that have been blewn around the world.

                                            That aside: what you are illustrating is somebody who did not ever complete macro-economics 101, let alone even an introduction to Marketing, more specifically SOP, Sales & Operations Planning. Because in there we teach the simple concept of supply and demand. Most people know these two words, but they don't know that in SOP we use this to determine the optimal sales price. All others assumed standard, that means that sales price in which our profits are maximized.

                                            The last lines of you are what is called 'marginal profitability'. Which specifically goes for digital goods, where the marginal profitability is around 100%. Given the concept of 'sunk cost', it means you, for short term sales pricing, should accept any price above the variable cost. Of course, if you are a victim of 1 of these 95%-'MBA's' you will pick the highest price you can think of. If you are one of the 5%, you know about SOP  ;D

                                            I by the way have a subscription to Snort, and the 30 USD/year is most fair. Obviously, somebody over there understands SOP. I also contacted the people over at ET some time ago, and was amazed by their arrogance, even when I explained SOP and marginal profits to them, in an attempt to have them lower the price to the levels of Snort for home users. And this only goes to prove the quote I put above. Hyperinflation is also observed in signatures of rather moron-alike people like the severely mentally handicapped person I had the chat with. He was a very important [fill in all kinds of expensive sounding words here] 'senior' 'manager' who told me: 'we don't care about your explanations, obviously, if you don't want to pay our price, you are not the customer we are looking for'.

                                            I think it is all these processed foods people eat that have evaporated their brains :'(

                                            ( ;D )

                                            6 and a half billion people know that they are stupid, agressive, lower life forms.

                                            1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.