Re: How to decide which rules should be enabled.

["Castle, Shane" <scastle () bouldercounty org>]

Actually, I have discovered that over time having individual rules files leads to old rules being used when they should 
not be (cruft) and new rules not being used when they should be, since these file names may change or be added to 
without warning. Having PulledPork combine them into one file is a great feature, IMHO.

I'll not return to OinkMaster. It was great at first, but PulledPork has it soundly beaten.

-- 
Shane Castle
Data Security Mgr, Boulder County IT
CISSP GSEC GCIH


-----Original Message-----
From: Joel Esler [mailto:jesler () sourcefire com] 
Sent: Thursday, July 19, 2012 09:54
To: Bravo Snipper
Cc: snort list
Subject: Re: [Snort-users] How to decide which rules should be enabled.

The answer is "it depends"

You can make pulled pork still output the "individual" files if you want.  I don't know the command for it, but maybe 
JJ can chime in here?


On Thu, Jul 19, 2012 at 4:03 AM, Bravo Snipper <snipperbravo () yahoo com> wrote:


        Hi
        
        Al right I opted for  rule policy "security" in pulledpork.
        

        Now when i manually downloaded  snortrules-snapshot-xxxx I can see different *.rules file, a separate pre_proc 
directory etc.
        
        But when i use pulledpork it only places a singal file snort.rules in rules directory, it has all the rules in 
single file.
        
        Why is it different? 
        Isn't keeping separate rules file e.g scan.rules, web-attack.rules is more manageable.
        
        Can this(keeping single rule file or multiple) be configured using pulledpork configuration.
        Currently I used pulledpork in the following way;
         
        -My pulledpork command
        /usr/local/bin/pulledpork.pl -c /etc/snort/pulledpork.conf -T -l
        
        -ips_policy=security
        

        Regards
        
        
________________________________

        From: Tony Robinson <trobinson () sourcefire com>
        To: Bravo Snipper <snipperbravo () yahoo com> 
        Cc: snort list <snort-users () lists sourceforge net> 
        Sent: Wednesday, July 18, 2012 7:53 PM
        Subject: Re: [Snort-users] How to decide which rules should be enabled.
        

        Realized I made some typos on my example rule.
        
        it should be alert icmp any any any any (message:"[your message]"; sid:[your sid number]; rev:[rev. number];)
        
        - there should be four any statements in the rule header, message argument is usually in quotes, and each 
argument in the rule body must have a semicolon after it.
        
        ... guess my coffee hasn't kicked in yet.
        
        Cheers,
        
        -Tony
        
        
        On Wed, Jul 18, 2012 at 9:40 AM, Tony Robinson <trobinson () sourcefire com> wrote:
        

                Hi there,
                
                The question around rulesets is one that is very easy to ask, and exceptionally difficult to answer. It 
really requires knowing your network and enabling rules for things that concern you. that is going to differ from place 
to place and snort deployment to snort deployment. One person may be concerned about p2p traffic, or rules that violate 
corporate policy, while another may be concerned about botnet CNC rules.
                
                Something that may help you build a good rule baseline is the program pulled pork. (link to the readme: 
http://code.google.com/p/pulledpork/source/browse/trunk/README?r=225) The program will pull down the latest available 
rules from snort.org <http://snort.org/>  and allows you to easily build a ruleset based off three base policies: 
Connectivity over Security, Balanced, and Security over Connectivity. From there you can pare down a rule-heavy 
ruleset, or bulk up one of the smaller rulesets to meet your needs.
                
                Another recommendation I can make is signing up to the SANS @risk newsletter. Every Thursday, SANS puts 
out a newsletter of the top exploits and malware seen out in the wild, with the help of our very own VRT (Vulnerability 
Research Team). Under each vulnerability is an associated snort SID (or in some cases, multiple SIDs), and an 
associated ClamAV signature for detecting the exploit or malware. Best of all, this is a free resource.
                
                While these aren't definitive answers to your question, they are a very good start to building a good 
rule set.
                
                In regards to your question for testing snort, there are many ways of doing that. Snort has a built-in 
-T parameter you can use to test the snort.conf file and ensure that everything is "sane" and that snort will at least 
start up.
                
                In terms of testing whether or not snort is actively sniffing traffic off the wire, a good trick is to 
create a file called local.rules, include it in your snort.conf file and create a simple rule such as:
                
                alert icmp any any any (message:[your message here] sid:1000000; rev:1;)
                
                and trying pinging something your snort sensor has visibility on. If you get alerts, it is a good sign 
that snort is working. This is usually a setup step specified in some of the snort install guides on snort.org 
<http://snort.org/> .
                
                Hope this helps,
                
                -Tony
                
                
                On Wed, Jul 18, 2012 at 3:47 AM, Bravo Snipper <snipperbravo () yahoo com> wrote:
                

                        Hi
                        
                        After snort installation now how can we decide that which rules should be enabled or we should 
enable all the rules given by snort. Can any one please share some  tutorial regarding this aspect of snort 
configuration.  

                        Plus can any one name some standard set of tools to  test snorts setup.

                        regards.
                        

                        ------------------------------------------------------------------------------
                        Live Security Virtual Conference
                        Exclusive live event will cover all the ways today's security and
                        threat landscape has changed and how IT managers can respond. Discussions
                        will include endpoint security, mobile security and the latest in malware
                        threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
                        _______________________________________________
                        Snort-users mailing list
                        Snort-users () lists sourceforge net
                        Go to this URL to change user options or unsubscribe:
                        https://lists.sourceforge.net/lists/listinfo/snort-users
                        Snort-users list archive:
                        http://www.geocrawler.com/redir-sf.php3?list=snort-users
                        
                        Please visit http://blog.snort.org to stay current on all the latest Snort news!
                        

                
                
                
                -- 
                
                Tony Robinson
                
                Security Consultant I
                SourceFIRE Professional Services Division
                
                
                





        -- 
        
        Tony Robinson
        
        Security Consultant I
        SourceFIRE Professional Services Division
        
        
        




        ------------------------------------------------------------------------------
        Live Security Virtual Conference
        Exclusive live event will cover all the ways today's security and
        threat landscape has changed and how IT managers can respond. Discussions
        will include endpoint security, mobile security and the latest in malware
        threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
        _______________________________________________
        Snort-users mailing list
        Snort-users () lists sourceforge net
        Go to this URL to change user options or unsubscribe:
        https://lists.sourceforge.net/lists/listinfo/snort-users
        Snort-users list archive:
        http://www.geocrawler.com/redir-sf.php3?list=snort-users
        
        Please visit http://blog.snort.org to stay current on all the latest Snort news!
        




-- 

Joel Esler
Senior Research Engineer, VRT
OpenSource Community Manager
Sourcefire



------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!