For Snort sfPortScan, add ignore_scanned option to ignore destination… #122
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
The last two commits resolved issues with emitting aliases and CIDR values. This is based on some testing of configuration of ignore_scanners and ignore_scanned using aliases and using CIDR addresses, with and without ports. I've tried to stick to consistent style, but I may not be familiar with conventions for this project, so if you wish, please feel free to modify this however needed, or tell me where it's not conforming. One motivation was to allow one to suppress certain false positives in order to be able to raise the portscan sensitivity level. For example, inbound ssh and openvpn can trigger a false positive, and blacklist the client address, and if so, adding these addr/ports to ignore_scanned may diminish the undesired blacklisting. |
|
I've been able to keep the scan sensitivity at 'high' without locking myself out, which is an improvement for me. |
|
I'm also awaiting this functionality - thanks for adding it. |
|
Can you please check this out @bmeeks8 ? |
|
I am good with this addition. Please merge the change. Thanks, |
netgate-git-updates
pushed a commit
that referenced
this pull request
May 20, 2016
netgate-git-updates
pushed a commit
that referenced
this pull request
Sep 13, 2017
Feature request #86: Change meaning of "RequiredHeaders" such that header validity is always checked, but messages are only rejected on that basis when the flag is set. Based on a patch from Andreas Schulze. Feature request #127: Log SPF results when rejecting. Requested by Patrick Wagner; patch from Andreas Schulze, follow-up patch from Juri Haberland. Feature request #138: Inculde policy and disposition information in an Authentication-Results comment. Based on a patch from Juri Haberland. Feature request #139: Include the client host name if known in failure reports. Suggested by Roland Turner; patch by Andreas Schulze. Fix bug #95: Assume IPv6 for SPF operations. Patch from Juri Haberland. Fix bug #120: Fix control logic around the SPF result. Reported by Christophe Wolfhugel; patch from Andreas Schulze. Fix bug #122: Don't skip the HELO milter phase when SPF is enabled. Reported by Christophe Wolfhugel. Fix bug #157: Fix logging of implicit authserv-ids. Reported by Andreas Schulze; patch from Juri Haberland. Fix bug #158: Log ignored connections. Patch from Andreas Schulze. Fix bug #160: Fix "SyslogFacility" handling. Patch from Juri Haberland. Fix bug #163: Use a larger buffer for the raw MAIL FROM value. Based on a patch from Andreas Schulze. Fix bug #174: Trim "!" suffixes from reporting addresses. Problem noted by Juri Haberland. Fix bug #186: When reloading the configuration file, the public suffix list was read in with the wrong comment indicator. Patch from Federico Omoto. LIBOPENDMARC: Fix bug #115: Fix type mismatch. Patch from Sebastian A. Siewior via Scott Kitterman. LIBOPENDMARC: Fix bug #121: Fix IPv6 CIDR matching in SPF code. Patch from Christophe Wolfhugel. LIBOPENDMARC: Fix bug #125: Compile time IPv6 fix. Reported by Christophe Wolfhugel. LIBOPENDMARC: Fix bug #131: Fix alignment bug. Patch from Andreas Schulze. LIBOPENDMARC: Fix bug #147: Fix stripping of whitespace from DMARC DNS records. Based on a patch from Job Noorman. LIBOPENDMARC: Fix bug #149: Apply "sp" setting, if present and applicable. Patch from Petr Novak. LIBOPENDMARC: Fix bug #154: Fix "rf" and "fo" processing logic. LIBOPENDMARC: Fix bug #156: Fix variable name. Patch by Andreas Schulze. LIBOPENDMARC: Fix bug #165: Fix logic in checking which SPF identifier was used. Patches from Marco Favero and Juri Haberland. LIBOPENDMARC: Fix bug #167: Don't return "fail" when we should return "none". Patch from Marco Favero. REPORTS: Fix bug #134: Handle SMTP errors correctly. Patch from Andreas Schulze. REPORTS: Fix bug #141: Set the HELO parameter correctly. Reported by Alan Smith; patch from Andreas Schulze. REPORTS: Fix bug #143: Fix logic in table truncation. Reported by Wayne Andersen; patch from Juri Haberland. REPORTS: Fix bug #162: Always report "sp" in aggregate reports. Patch from Juri Haberland. REPORTS: Fix bug #166: Fix report start/end time logic. Patch from Juri Haberland. REPORTS: Fix bug #188: Don't delete inputs too early in opendmarc-reports. Patch from Juri Haberland. TOOLS: Fix bug #161: "Forensic" reports were renamed "Failure" reports. Patch from Andreas Schulze. TOOLS: Fix bug #164: Handle IPv6 test addresses. Reported by Andreas Schulze; patch from Juri Haberland. DOCS: Patch #189: Replace the DMARC RFC with an HTML page referencing the relevant specs, since Debian doesn't consider RFCs to be "free". Patch from Scott Kitterman via Juri Haberland. PR: 220902 Submitted by: Dan Mahoney <freebsd@gushi.org> (maintainer), Lukasz Wasikowski <lukasz@wasikowski.net>
netgate-git-updates
pushed a commit
that referenced
this pull request
Oct 19, 2022
ChangeLog: Bacula-Web 8.6.1 (October 19th 2022) Changelog General User will stay on current page when switching to another catalog (see Fixed Bacula catalog selector Using several Bacula catalog, the catalog selector was broken for some pages (see #120) Web browser will not ask a form submission while moving back from Job logs report page (see #30) Fixed how pagination count rows per page (see #123) Bump Composer dependencies to latest version Fixed pagination next button (see #125) Link to official documentation is now available from top navigation bar Jobs report Fixed pagination not using applied filters and options (see #122) Job endtime filter is now working as expected Ordering options are kept while using pagination (see #122) You can reach Job files report from Jobs report page from now (see #126) Job logs report More job information are now displayed (see #124) Pools report Fixed the Volumes button which now list volumes in the right pool (see Volumes report Fixed pagination not using applied filters and options (see #122) Settings Removed extra flash message which appear when a user is created Fixed bug(s) (filtered) job overview page New feature(s)
netgate-git-updates
pushed a commit
that referenced
this pull request
Oct 25, 2022
ChangeLog: Bacula-Web 8.6.1 (October 19th 2022) Changelog General User will stay on current page when switching to another catalog (see Fixed Bacula catalog selector Using several Bacula catalog, the catalog selector was broken for some pages (see #120) Web browser will not ask a form submission while moving back from Job logs report page (see #30) Fixed how pagination count rows per page (see #123) Bump Composer dependencies to latest version Fixed pagination next button (see #125) Link to official documentation is now available from top navigation bar Jobs report Fixed pagination not using applied filters and options (see #122) Job endtime filter is now working as expected Ordering options are kept while using pagination (see #122) You can reach Job files report from Jobs report page from now (see #126) Job logs report More job information are now displayed (see #124) Pools report Fixed the Volumes button which now list volumes in the right pool (see Volumes report Fixed pagination not using applied filters and options (see #122) Settings Removed extra flash message which appear when a user is created Fixed bug(s) (filtered) job overview page New feature(s)
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
For snort sfPortScan, this adds a 'ignore_scanned' option, described in snort documentation as:
ignore_scanned { <ip1 ip2/cidr[ [port1 port2-port3]]> }Ignores the destination of scan alerts. The parameter is the same format as that of watch_ip.
https://www.snort.org/faq/readme-sfportscan
The syntax is identical to the existing ignore_scanned option, so the php validation and selection of aliases is treated identically.
This was proposed in the forums:
https://forum.pfsense.org/index.php?topic=110657.0