Re: Default rule set

[Y M <snort () outlook com>]

> From: Jake.Sallee () umhb edu
> To: snort-users () lists sourceforge net
> Date: Sun, 18 May 2014 05:44:22 +0000
> Subject: [Snort-users]  Default rule set
>
> Firstly, thank you all for the info, it has been very helpful.
>
> I have configured my pulled pork with the security setting and it seems to be working well.  Now, as others have 
> pointed out, configuring this setting in PP turns off all ET rules.  So my question is: are the rules turned on with 
> the "security" setting in PP sufficient or should I augment them with rules from the ET set?
Setting the security policy in PulledPork does not actually turn ET ruleset off. It is just that ET rules does not have 
the "metadata" tag with the appropriate policy metadata info (balanced, security, etc...), hence PulledPork does not 
include or enable (uncomment) them in the augmented snort.rules file. For the second question, it largely depends on 
your environment and what are trying to protect. You can read more about what "security" or "connectivity" policies 
mean at the same link the Joel referred to: http://blog.snort.org/2013/10/snort-vrt-default-ruleset-rebalancing.html. 
Whether to augment ET rules or not, this again depends on your environment and your evaluation of the rules and what 
they can achieve to you in your environment. 
> Also, a quick question about this suggestion:
>
> > 2. Since PulledPork now processes modifysid.conf first (before enablesid.conf),
> > add pcre to modify ET rules to include the desired policy and PulledPork should
> > pick it up from there. I will need to re-test this one though.
>
> Please forgive my inexperience but I am reading this statement two different ways:
>
> 1) Set PP with the security setting and use PCRE to enable ET rules in the modifysid.conf file
When PulledPork is configured to run the "security" policy (either in pulledpork.conf or in the command line), it will 
enable rules that are tagged with the security policy. Since ET does not have this metadata, they are not enable. 
Hence, modifying the enablesid.conf file. Meaning that either you enable rules by sid (GID:SID format) or by category 
(or even pcre) regardless of the policy used. The enablesid.conf has good documentation, I would suggest that you give 
that a read.
> or
> 2) Use PCRE to enable the security sub-set of rules in modifysid.conf while PP is configured to use the ET rule set
The second case is to use PCRE to add the "security" metadata to the ET rules you want to be enabled in the 
modifysid.conf. In this case, PulledPork will see that these rules have the "security" metadata and will enable them in 
the next line of processing the rules. Like I said earlier, I will have to re-test this as this was sometime back and 
its blurry to me.
> Which one is correct, or am I wrong on both counts?
See comments above. The end result is the same but
> > And lastly, if I do use some ET rules in conjunction with the security set of rules I will need to do some serious 
> > pruning to keep under the aforementioned 7,000 rule suggested limit. Are there any rules that duplicate effort in 
> > the ET and Security sets?  If so, is there an easy way to identify them and which one should I choose to use?
ET and VRT and two different entities with different approaches. There will be VRT and ET rules that match on the same 
traffic, even though they may have been written differently.
> Thank you all again.
>
> Jake Sallee
> Godfather of Bandwidth
> System Engineer
> University of Mary Hardin-Baylor
> WWW.UMHB.EDU
>
> 900 College St.
> Belton, Texas
> 76513
>
> Fone: 254-295-4658
> Phax: 254-295-4221
>
> ________________________________________
> From: waldo kitty [wkitty42 () windstream net]
> Sent: Saturday, May 17, 2014 9:47 AM
> To: snort-users () lists sourceforge net
> Subject: Re: [Snort-users] Default rule set
>
> On 5/17/2014 6:43 AM, Y M wrote:
> >  > ummm... does this "security", "balanced", "connectivity" stuff pertain to the ET
> >  > (EmergingThreats) rules sets?? ;)
> >
> > I don't think ET ruleset has these policies.
>
> exactly, thanks for confirming this, YM... it is especially important since the
> OP's original question mentioned ET rules...
>
> > In the VRT ruleset, these are represented through the "metadata" tag with
> > options of "policy connectivity-ips", "policy balanced-ips", "policy
> > security-ips", and the most recent one "ruleset community". PulledPork use
> > these along with the "-I <policy>" to determine what rules to enable.
>
> yes, this confirms the method with which the policy is determined... it is also
> helpful for those who don't know or understand it...
>
> > During early tests, running PulledPork against both VRT and ET with a policy
> > specified, did not enable any ET rule. Two options to overcome this:
> > 1. Add ET sids/categories into enablesid.conf, and PulledPork will enable them
> > regardless of policy specified, or (better)
> > 2. Since PulledPork now processes modifysid.conf first (before enablesid.conf),
> > add pcre to modify ET rules to include the desired policy and PulledPork should
> > pick it up from there. I will need to re-test this one though.
>
> ahh, very nice... i'm glad to see the PP has come such a long way in the short
> time it has been available... excellent work by the maintainer! ;)
>
> --
>   NOTE: No off-list assistance is given without prior approval.
>         Please *keep mailing list traffic on the list* unless
>         private contact is specifically requested and granted.
>
> ------------------------------------------------------------------------------
> "Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE
> Instantly run your Selenium tests across 300+ browser/OS combos.
> Get unparalleled scalability from the best Selenium testing platform available
> Simple to use. Nothing to install. Get started now for free."
> http://p.sf.net/sfu/SauceLabs
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest Snort news!
>
> ------------------------------------------------------------------------------
> "Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE
> Instantly run your Selenium tests across 300+ browser/OS combos.
> Get unparalleled scalability from the best Selenium testing platform available
> Simple to use. Nothing to install. Get started now for free."
> http://p.sf.net/sfu/SauceLabs
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest Snort news!


------------------------------------------------------------------------------
"Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE
Instantly run your Selenium tests across 300+ browser/OS combos.
Get unparalleled scalability from the best Selenium testing platform available
Simple to use. Nothing to install. Get started now for free."
http://p.sf.net/sfu/SauceLabs

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!