Snort mailing list archives
Re: Pulledpork and proprocessor rules
From: SnortFan <SnortFan () yahoo com>
Date: Fri, 24 Jan 2014 09:48:07 -0500
Hi Dave, I'm still kinda trying to figure this out as well. What you may try is modify the snort.conf to only enable the preprocessor for reputation. Comment the rest out in the snort.conf. So you would still pull down all the preprocessors with pulledpork but snort would only activate those two preprocessor rules. Warning, I'm just making an educated guess. 8-) Joel? Does that sound right? Thanks, Ed Sent from a mobile device.
On Jan 23, 2014, at 9:43 PM, Dave Corsello <snort-users () wintertreemedia com> wrote: Hi Ed, Thanks for your reply. Maybe I should be more specific in what I want to do. I currently have rules enabled by policy. In addition, I want to turn on just the two reputation preprocessor rules, 1:136 and 2:136. I don't see a way to accomplish that with the categories that you provided. What am I missing? --DaveOn 1/23/2014 3:47 PM, SnortFan wrote: Here is the list as best as I can tell from what's in the snort rules file. When I place them into the enablesid.conf file and pull I get the mother load of rules. I don't recommend turning them all on. app-detect blacklist browser-chrome browser-firefox browser-ie browser-other browser-plugins browser-webkit content-replace decoder dos exploit-kit file-executable file-flash file-identify file-image file-java file-multimedia file-office file-other file-pdf indicator-compromise indicator-obfuscation indicator-scan indicator-shellcode malware-backdoor malware-cnc malware-other malware-tools netbios os-linux os-mobile os-other os-solaris os-windows policy-multimedia policy-other policy-social policy-spam preprocessor protocol-dns protocol-finger protocol-ftp protocol-icmp protocol-imap protocol-nntp protocol-pop protocol-rpc protocol-scada protocol-services protocol-snmp protocol-telnet protocol-tftp protocol-voip pua-adware pua-other pua-p2p pua-toolbars server-apache server-iis server-mail server-mssql server-mysql server-oracle server-other server-samba server-webapp sql x11 Sent from a mobile device.On Jan 23, 2014, at 8:44 AM, SnortFan <SnortFan () yahoo com> wrote: Hi Dave, It looks like it pulls them down and places them in the snort.rule file. I don't see where it replaces the gen-msg.map file but if you search in the snort.rules file for one of the gid's you should see them. Cheers, Ed Sent from a mobile device.On Jan 23, 2014, at 7:43 AM, Dave Corsello <snort-users () wintertreemedia com> wrote: I thought this would be a pretty basic question, but I haven't been able to locate an answer yet. How do you enable proproc rules in pulledpork? I tried adding "1:136,2:136" to enablesid.conf, but it didn't work. ------------------------------------------------------------------------------ CenturyLink Cloud: The Leader in Enterprise Cloud Services. Learn Why More Businesses Are Choosing CenturyLink Cloud For Critical Workloads, Development Environments & Everything In Between. Get a Quote or Start a Free Trial Today. http://pubads.g.doubleclick.net/gampad/clk?id=119420431&iu=/4140/ostg.clktrk _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!------------------------------------------------------------------------------ CenturyLink Cloud: The Leader in Enterprise Cloud Services. Learn Why More Businesses Are Choosing CenturyLink Cloud For Critical Workloads, Development Environments & Everything In Between. Get a Quote or Start a Free Trial Today. http://pubads.g.doubleclick.net/gampad/clk?id=119420431&iu=/4140/ostg.clktrk _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!------------------------------------------------------------------------------ CenturyLink Cloud: The Leader in Enterprise Cloud Services. Learn Why More Businesses Are Choosing CenturyLink Cloud For Critical Workloads, Development Environments & Everything In Between. Get a Quote or Start a Free Trial Today. http://pubads.g.doubleclick.net/gampad/clk?id=119420431&iu=/4140/ostg.clktrk _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------ CenturyLink Cloud: The Leader in Enterprise Cloud Services. Learn Why More Businesses Are Choosing CenturyLink Cloud For Critical Workloads, Development Environments & Everything In Between. Get a Quote or Start a Free Trial Today. http://pubads.g.doubleclick.net/gampad/clk?id=119420431&iu=/4140/ostg.clktrk _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Pulledpork and proprocessor rules Dave Corsello (Jan 23)
- Re: Pulledpork and proprocessor rules SnortFan (Jan 23)
- Re: Pulledpork and proprocessor rules SnortFan (Jan 23)
- Re: Pulledpork and proprocessor rules Dave Corsello (Jan 23)
- Re: Pulledpork and proprocessor rules SnortFan (Jan 24)
- Re: Pulledpork and proprocessor rules Lay, James (Jan 24)
- Message not available
- Re: Pulledpork and proprocessor rules Dave Corsello (Jan 24)
- Re: Pulledpork and proprocessor rules SnortFan (Jan 23)
- Re: Pulledpork and proprocessor rules SnortFan (Jan 23)