Snort mailing list archives
Re: How to activate all rules using PulledPork?
From: SnortFan <SnortFan () yahoo com>
Date: Mon, 24 Feb 2014 12:46:43 -0500
Hi Michael, You can have the file sit there if you'd like, you just have to have the reference uncommented and correctly defined in your pulledpork.conf. Here is my list: app-detect blacklist browser-chrome browser-firefox browser-ie browser-other browser-plugins browser-webkit content-replace decoder dos exploit-kit file-executable file-flash file-identify file-image file-java file-multimedia file-office file-other file-pdf indicator-compromise indicator-obfuscation indicator-scan indicator-shellcode malware-backdoor malware-cnc malware-other malware-tools netbios os-linux os-mobile os-other os-solaris os-windows policy-multimedia policy-other policy-social policy-spam preprocessor protocol-dns protocol-finger protocol-ftp protocol-icmp protocol-imap protocol-nntp protocol-pop protocol-rpc protocol-scada protocol-services protocol-snmp protocol-telnet protocol-tftp protocol-voip pua-adware pua-other pua-p2p pua-toolbars server-apache server-iis server-mail server-mssql server-mysql server-oracle server-other server-samba server-webapp sql x11 If you want you can disable by placing a # in front of any line. So #x11 would disable pulledpork from enabling the x11 rules. Note: the category is not the same a class type. I've seen multiple class types lumped into a catagory. Before you add them and do a pull, do a line count of uncommented lines in your snort.rules file. Then do the same after. Enjoy, Ed Sent from a mobile device.
On Feb 23, 2014, at 8:11 PM, "Michael Steele" <michaels () winsnort com> wrote: All I do is add the attached enablesid.conf to the pulledpork/etc folder? Is the list correct format? Michael... From: SnortFan [mailto:SnortFan () yahoo com] Sent: Thursday, February 20, 2014 7:29 PM To: Michael Steele Cc: <snort-users () lists sourceforge net> Subject: Re: [Snort-users] How to activate all rules using PulledPork? If your talking about all those commented out rules that pulled pork leaves in the snort.rules file, try adding the snort rules categories in the enablesid file. If you need a list of the categories, their names are in the snort.rules file or I can find it in one of my emails to the forum. Cheers, Ed Sent from a mobile device. On Feb 20, 2014, at 2:14 PM, "Michael Steele" <michaels () winsnort com> wrote: I've been trying to get PulledPork to enable all rules, and so far all help has stalled in the PulledPork Google Groups. I'm told by JJ that it is possible, and he has instructed me to add add <PCRE wildcard "."> (everything between the <>) to the enablesid.conf, and all the alerts would be activated. I’m having no problems processing rules any one of the three IP_Policy settings Hopefully someone has a solution to this? Here is my pulledpork.conf: # Config file for pulledpork rule_url=https://www.snort.org/reg-rules/|snortrules-snapshot.tar.gz|<REDACTED> rule_url=https://s3.amazonaws.com/snort-org/www/rules/community/|community-rules.tar.gz|Community rule_url=http://labs.snort.org/feeds/ip-filter.blf|IPBLACKLIST|open rule_url=https://www.snort.org/reg-rules/|opensource.gz|<REDACTED> temp_path=d:\winids\pulledpork\temp rule_path=d:\winids\snort\rules\winids.rules local_rules=d:\winids\snort\rules\local.rules sid_msg=d:\winids\snort\etc\sid-msg.map sid_msg_version=1 sid_changelog=d:\winids\snort\log\sid_changes.log sorule_path=/usr/local/lib/snort_dynamicrules/ snort_path=/usr/local/bin/snort config_path=/usr/local/etc/snort/snort.conf distro=FreeBSD-8.1 docs=d:\winids\Apache24\htdocs\base\signatures\ snort_version=2.9.5.6 enablesid=d:\winids\pulledpork\etc\enablesid.conf dropsid=d:\winids\pulledpork\etc\dropsid.conf disablesid=d:\winids\pulledpork\etc\disablesid.conf modifysid=d:\winids\pulledpork\etc\modifysid.conf ips_policy=security version=0.7.0 Here is my enablesid.conf: # example enablesid.conf v3.1 PCRE wildcard "." Here is my run line: pulledpork.pl -c d:\winids\pulledpork\etc\pulledpork.conf -vT TIA... Michael... ------------------------------------------------------------------------------ Managing the Performance of Cloud-Based Applications Take advantage of what the Cloud has to offer - Avoid Common Pitfalls. Read the Whitepaper. http://pubads.g.doubleclick.net/gampad/clk?id=121054471&iu=/4140/ostg.clktrk _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news! <enablesid.conf>
------------------------------------------------------------------------------ Flow-based real-time traffic analytics software. Cisco certified tool. Monitor traffic, SLAs, QoS, Medianet, WAAS etc. with NetFlow Analyzer Customize your own dashboards, set traffic alerts and generate reports. Network behavioral analysis & security monitoring. All-in-one tool. http://pubads.g.doubleclick.net/gampad/clk?id=126839071&iu=/4140/ostg.clktrk
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- How to activate all rules using PulledPork? Michael Steele (Feb 20)
- Re: How to activate all rules using PulledPork? SnortFan (Feb 20)
- Message not available
- Re: How to activate all rules using PulledPork? SnortFan (Feb 24)
- Message not available
- Re: How to activate all rules using PulledPork? SnortFan (Feb 20)