Snort mailing list archives
Re: thinning out the rules
From: JJC <cummingsj () gmail com>
Date: Thu, 20 Jan 2011 07:58:29 -0700
Depending on your needs, there are a number of tools that can accomplish what you want. Pulledpork being the most feature rich of these. In this case, simply adding pcre:netware to the disablesid.conf will disable all rules that contain the string "netware". The benefit of using PP would be simple process repeatability and full ruleset/type support (shared objects, preprocessor rules, etc) JJC On Thursday, January 20, 2011, Edward Fjellskål <edwardfjellskaal () gmail com> wrote:
For what its worth, I recently wrote a bit different rule management tool that I use personally. Blogged about it here: http://www.gamelinux.org/?p=240 Suppose the msg: field of the rule contains netware and thats relevant for what you are looking for, I would do: ./polman -i <mysensor> -s "netware" that displays me a total of 321 rules, 99% or so are in "deleted" and not enabled by default. (my db holds vrt + et rules) I use my own tool with great luck and lots of joy. Read the blog for more info. This might not be the answer you are looking for, but maybe it gives you some ideas. I also wrote a small bash script that I used together with oinkmaster: https://github.com/gamelinux/sidrule It basically uses 'sed' to alter the state of the rules in the rulefiles, then I used disablesid.pl or something to make a persistant file to feed to oinkmaster so it would remember what I did or someht On Thu, Jan 20, 2011 at 3:20 PM, Michael Lubinski <michael.lubinski () gmail com> wrote:Rather than go through each .txt file for each rule is there a better way to thin out the rules that don't apply to the network its on. e.g, netware is not running on the network. How can i find and disable all netware alerts. ------------------------------------------------------------------------------ Protect Your Site and Customers from Malware Attacks Learn about various malware tactics and how to avoid them. Understand malware threats, the impact they can have on your business, and how you can protect your company and customers by using code signing. http://p.sf.net/sfu/oracle-sfdevnl _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users-- Edward Bjarte Fjellskål Senior Security Analyst http://www.gamelinux.org/ ------------------------------------------------------------------------------ Protect Your Site and Customers from Malware Attacks Learn about various malware tactics and how to avoid them. Understand malware threats, the impact they can have on your business, and how you can protect your company and customers by using code signing. http://p.sf.net/sfu/oracle-sfdevnl _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------------------------------ Protect Your Site and Customers from Malware Attacks Learn about various malware tactics and how to avoid them. Understand malware threats, the impact they can have on your business, and how you can protect your company and customers by using code signing. http://p.sf.net/sfu/oracle-sfdevnl _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- thinning out the rules Michael Lubinski (Jan 20)
- Re: thinning out the rules Edward Fjellskål (Jan 20)
- Re: thinning out the rules JJC (Jan 20)
- Re: thinning out the rules Jason Wallace (Jan 20)
- Re: thinning out the rules JJC (Jan 20)
- Re: thinning out the rules JJC (Jan 20)
- Re: thinning out the rules Edward Fjellskål (Jan 20)
- Re: thinning out the rules John Gay (Jan 25)