Snort mailing list archives
Re: Disablesid.conf and classtype
From: "Joel Esler (jesler)" <jesler () cisco com>
Date: Fri, 21 Feb 2014 19:39:51 +0000
Perhaps a bit off topic from the original threat, but Juan’s email prompted me about the way he seems to be doing things. Have you seen this? http://blog.snort.org/2013/10/snort-vrt-default-ruleset-rebalancing.html -- Joel Esler | Threat Intelligence Team Lead | Open Source Manager | Vulnerability Research Team On Feb 21, 2014, at 11:52 AM, Juan Camilo Valencia <camilo.valencia13 () gmail com<mailto:camilo.valencia13 () gmail com>> wrote: Hi, We have been doing based on CVE or category, here are some examples. I'm not completely sure that is te most optimized but works, you can used for your keyword: #Regex for look Internet Explorer rules with attempted-(admin|dos|recon|user) classtype pcre:(?=.*\bBROWSER-IE\b)(?=.*\battempted-(admin|dos|recon|user)\b) pcre:(?=.*\bBROWSER-IE\b)(?=.*\bmisc-(activity|attack)\b) pcre:(?=.*\bBROWSER-IE\b)(?=.*\bweb-application-(activity|attack)\b) #Regex to enable rules based on VRT-file-multimedia.rules and attempted-(admin|dos|user) pcre:(?=.*\bFILE-MULTIMEDIA\b)(?=.*\battempted-(admin|dos)\b) pcre:(?=.*\bFILE-MULTIMEDIA\b)(?=.*\battempted-user\b)(?=.*\b(apple|adobe|videolan.org<http://videolan.org/>)\b) #Regex to enable rules in VRT-file-executable.rules based on FILE-EXECUTABLE and attempted #(admin|user) and misc-activity pcre:(?=.*\bFILE-EXECUTABLE\b)(?=.*\battempted-(admin|user)\b) pcre:(?=.*\bFILE-EXECUTABLE\b)(?=.*\bmisc-activity\b) #Regex to enable rules on VRT-malware-cnc.rules based on MALWARE-CNC and trojan-activity. pcre:(?=.*\bMALWARE-CNC\b)(?=.*\btrojan-activity\b) I hope that this help you, Best Regards On Fri, Feb 21, 2014 at 10:33 AM, SnortFan <SnortFan () yahoo com<mailto:SnortFan () yahoo com>> wrote: Hi All, Is anyone using regular expressions in pulledpork's disablesid.conf file to disable rules based on the classtype: of a rule? If so can you post an example? Thanks, Ed Sent from a mobile device. ------------------------------------------------------------------------------ Managing the Performance of Cloud-Based Applications Take advantage of what the Cloud has to offer - Avoid Common Pitfalls. Read the Whitepaper. http://pubads.g.doubleclick.net/gampad/clk?id=121054471&iu=/4140/ostg.clktrk _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net<mailto:Snort-users () lists sourceforge net> Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org<http://blog.snort.org/> to stay current on all the latest Snort news! -- JUAN CAMILO VALENCIA VARGAS Ingeniero de Operaciones SeguraTec S.A.S Calle 11 # 43B-50 of 307 Medelllín Colombia “Choose a job you love, and you will never have to work a day in your life” ------------------------------------------------------------------------------ Managing the Performance of Cloud-Based Applications Take advantage of what the Cloud has to offer - Avoid Common Pitfalls. Read the Whitepaper. http://pubads.g.doubleclick.net/gampad/clk?id=121054471&iu=/4140/ostg.clktrk_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------ Managing the Performance of Cloud-Based Applications Take advantage of what the Cloud has to offer - Avoid Common Pitfalls. Read the Whitepaper. http://pubads.g.doubleclick.net/gampad/clk?id=121054471&iu=/4140/ostg.clktrk
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Disablesid.conf and classtype SnortFan (Feb 21)
- Re: Disablesid.conf and classtype Juan Camilo Valencia (Feb 21)
- Re: Disablesid.conf and classtype Joel Esler (jesler) (Feb 21)
- Re: Disablesid.conf and classtype SnortFan (Feb 26)
- Re: Disablesid.conf and classtype SnortFan (Feb 26)
- Re: Disablesid.conf and classtype Joel Esler (jesler) (Feb 26)
- Re: Disablesid.conf and classtype Joel Esler (jesler) (Feb 21)
- Re: Disablesid.conf and classtype Juan Camilo Valencia (Feb 21)