Snort mailing list archives
Re: Enabling Only Applicable Rules
From: Marcin Dulak <marcin.dulak () gmail com>
Date: Wed, 7 Jun 2017 01:06:35 +0200
To control whether the commented out rules are written into snort.rules is done using a command line option to pulledpork: -E Write ONLY the enabled rules to the output files. Marcin On Wed, Jun 7, 2017 at 1:00 AM, bobby <architectofthefuture () gmail com> wrote:
Will all unnecessary rules be removed or commented out? I modified the files as you mentioned in your e-mail. I also put the words in single quotes. I am still not having any luck. On Tue, Jun 6, 2017 at 6:53 PM, Marcin Dulak <marcin.dulak () gmail com> wrote:Hello, Please continue the discussion on snort-users. Are all pulledpork configuration files adjusted, especially disablesid.conf and pulledpork.conf? Try also enablesid.conf to contain pcre:'OpenSSL' instead of OpenSSL. In my experience pulledpork behaves often unpredictable when one hits bugs or untested features depending on the pulledpork version used. If you discover an unexpected behavior report it directly at https://github.com/shirkdog/pulledpork/issues stating the version used and all command used to reproduce the problem. Marcin On Wed, Jun 7, 2017 at 12:39 AM, bobby <architectofthefuture () gmail com> wrote:I did this, and here is what is in my enablesid.conf: server-apache OpenSSL There are still 30k+ rules in my snort rules file, and for the most part are not commented out. On Sun, May 14, 2017 at 7:33 AM, Marcin Dulak <marcin.dulak () gmail com> wrote:Register at snort.org to obtain the free snortrules-snapshot-*.tar.gz which contains rules divided into categories. Then use pulledpork to select the desired category + additional rules. For example, on CentOS7: Pulledpork is installed with: yum -y install pulledpork After the installation of Pulledpork: 0. mkdir -p /etc/snort/rules/iplists 1. insert your oinkcode in /etc/pulledpork/pulledpork.conf 2. disable community-rules.tar.gz in /etc/pulledpork/pulledpork.conf 3. change the order Pulledpork operations to: state_order=disable,drop,enable in /etc/pulledpork/pulledpork.conf Pulledpork writes the rules on CentOS by default to /etc/snort/rules/snort.rules. In order to create or update /etc/snort/rules/snort.rules do: 4. Disable all rules: echo pcre:. >> /etc/pulledpork/disablesid.conf 5. Enable selected categories and rules: echo server-apache >> /etc/pulledpork/enablesid.conf echo pcre:'OpenSSL' >> /etc/pulledpork/enablesid.conf echo pcre:' cipher' >> /etc/pulledpork/enablesid.conf echo pcre:'rule-type decode' >> /etc/pulledpork/enablesid.conf echo '139:1-139:9999' >> /etc/pulledpork/enablesid.conf 6. One could replace HTTP_PORTS rules with a custom MY_HTTP_PORTS set on top of snort.conf echo '* "\$HOME_NET \$HTTP_PORTS " "$HOME_NET $MY_HTTP_PORTS "' >> /etc/pulledpork/modifysid.conf 7. Here is how one could disable specific rules (this way works only for gid:1): echo '* ".*freakattack.*" ""' >> /etc/pulledpork/modifysid.conf echo '* ".*sid:28205.*" ""' >> /etc/pulledpork/modifysid.conf 8. generate new /etc/snort/rules/snort.rules with: pulledpork -PE -c /etc/pulledpork/pulledpork.conf Marcin On Sat, May 13, 2017 at 2:32 AM, bobby <architectofthefuture () gmail com> wrote:I am running snort, and have the community rules. If I am running the HTTP service, how do I locate the rules that I need to activate/that apply to me? Do I just do a ls | grep ' HTTP ' on the rules? What is the best way to do this since there are thousands and thousands of rule sets? How does one go about customizing the rules to ones' network? ------------------------------------------------------------ ------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Enabling Only Applicable Rules bobby (May 12)
- Re: Enabling Only Applicable Rules Marcin Dulak (May 14)
- Message not available
- Re: Enabling Only Applicable Rules Marcin Dulak (Jun 06)
- Re: Enabling Only Applicable Rules bobby (Jun 06)
- Re: Enabling Only Applicable Rules Marcin Dulak (Jun 06)
- Message not available
- Re: Enabling Only Applicable Rules Marcin Dulak (May 14)