Re: Enabling Only Applicable Rules

[Marcin Dulak <marcin.dulak () gmail com>]

To control whether the commented out rules are written into snort.rules is
done using a command line option to pulledpork:

-E Write ONLY the enabled rules to the output files.

Marcin

On Wed, Jun 7, 2017 at 1:00 AM, bobby <architectofthefuture () gmail com>
wrote:

> Will all unnecessary rules be removed or commented out?
> I modified the files as you mentioned in your e-mail.
> I also put the words in single quotes.
> I am still not having any luck.
>
> On Tue, Jun 6, 2017 at 6:53 PM, Marcin Dulak <marcin.dulak () gmail com>
> wrote:
>
> > Hello,
> >
> > Please continue the discussion on snort-users.
> > Are all pulledpork configuration files adjusted, especially
> > disablesid.conf and pulledpork.conf?
> > Try also enablesid.conf to contain pcre:'OpenSSL' instead of OpenSSL.
> > In my experience pulledpork behaves often unpredictable when one hits
> > bugs or untested features depending on the pulledpork version used.
> > If you discover an unexpected behavior report it directly at
> > https://github.com/shirkdog/pulledpork/issues stating the version used
> > and all
> > command used to reproduce the problem.
> >
> > Marcin
> >
> > On Wed, Jun 7, 2017 at 12:39 AM, bobby <architectofthefuture () gmail com>
> > wrote:
> >
> > > I did this, and here is what is in my enablesid.conf:
> > >
> > > server-apache
> > > OpenSSL
> > >
> > > There are still 30k+ rules in my snort rules file, and for the most part
> > > are not commented out.
> > >
> > > On Sun, May 14, 2017 at 7:33 AM, Marcin Dulak <marcin.dulak () gmail com>
> > > wrote:
> > >
> > > > Register at snort.org to obtain the free snortrules-snapshot-*.tar.gz
> > > > which contains rules divided into categories.
> > > > Then use pulledpork to select the desired category + additional rules.
> > > >
> > > > For example, on CentOS7:
> > > >
> > > > Pulledpork is installed with: yum -y install pulledpork
> > > >
> > > > After the installation of Pulledpork:
> > > >
> > > > 0. mkdir -p /etc/snort/rules/iplists
> > > > 1. insert your oinkcode in /etc/pulledpork/pulledpork.conf
> > > > 2. disable community-rules.tar.gz in /etc/pulledpork/pulledpork.conf
> > > > 3. change the order Pulledpork operations to:
> > > > state_order=disable,drop,enable in /etc/pulledpork/pulledpork.conf
> > > >
> > > > Pulledpork writes the rules on CentOS by default to
> > > > /etc/snort/rules/snort.rules.
> > > > In order to create or update /etc/snort/rules/snort.rules do:
> > > >
> > > > 4. Disable all rules: echo pcre:. >> /etc/pulledpork/disablesid.conf
> > > > 5. Enable selected categories and rules:
> > > >
> > > > echo server-apache >> /etc/pulledpork/enablesid.conf
> > > > echo pcre:'OpenSSL' >> /etc/pulledpork/enablesid.conf
> > > > echo pcre:' cipher' >> /etc/pulledpork/enablesid.conf
> > > > echo pcre:'rule-type decode' >> /etc/pulledpork/enablesid.conf
> > > > echo '139:1-139:9999' >> /etc/pulledpork/enablesid.conf
> > > >
> > > > 6. One could replace HTTP_PORTS rules with a custom MY_HTTP_PORTS set
> > > > on top of snort.conf
> > > > echo '* "\$HOME_NET \$HTTP_PORTS " "$HOME_NET $MY_HTTP_PORTS "' >>
> > > > /etc/pulledpork/modifysid.conf
> > > >
> > > > 7. Here is how one could disable specific rules (this way works only
> > > > for gid:1):
> > > > echo '* ".*freakattack.*" ""' >> /etc/pulledpork/modifysid.conf
> > > > echo '* ".*sid:28205.*" ""' >> /etc/pulledpork/modifysid.conf
> > > >
> > > > 8. generate new /etc/snort/rules/snort.rules with: pulledpork -PE -c
> > > > /etc/pulledpork/pulledpork.conf
> > > >
> > > > Marcin
> > > >
> > > > On Sat, May 13, 2017 at 2:32 AM, bobby <architectofthefuture () gmail com>
> > > > wrote:
> > > >
> > > > > I am running snort, and have the community rules.
> > > > >
> > > > > If I am running the HTTP service, how do I locate the rules that I
> > > > > need to
> > > > > activate/that apply to me?  Do I just do a ls | grep ' HTTP ' on the
> > > > > rules?  What is the best way to do this since there are thousands and
> > > > > thousands of rule sets?  How does one go about customizing the rules to
> > > > > ones' network?
> > > > > ------------------------------------------------------------
> > > > > ------------------
> > > > > Check out the vibrant tech community on one of the world's most
> > > > > engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> > > > > _______________________________________________
> > > > > Snort-users mailing list
> > > > > Snort-users () lists sourceforge net
> > > > > Go to this URL to change user options or unsubscribe:
> > > > > https://lists.sourceforge.net/lists/listinfo/snort-users
> > > > > Snort-users list archive:
> > > > > http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> > > > >
> > > > > Please visit http://blog.snort.org to stay current on all the latest
> > > > > Snort news!
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!