[Snort-sigs] Quickdraw IDS rule set
farbera at ...2420...
Tue Aug 18 11:34:25 EDT 2015
I am trying to configure the Digital Bond Quickdraw IDS rules into
either Security Onion or just a regular Ubuntu 14.02 with Snort
18.104.22.168. I have
cloned this repository and have been in contact with Digital Bond about
initial configuration and have run into some problems. I was told by
Digital Bond that the rule set from the git repository should work fine
with all versions of Snort and not require preprocessors for rules other
than Ethernet / IP.
With that I configured my snort.conf file to look for the quickdraw
rules and I ran the Digital Bond test pcap files through tcpreplay and
my Snort did not provide any alerts. I tried running the pcap through
Snort via the command line with the file import option and it still did
not cause for any alerts to be triggered. I am still talking with
Digital Bond about if it is the rules they provided, an issue with the
pcap files they provided, or if Snort is not interacting correctly with
the rules provided. I have run non-ICS pcaps through Snort and it
responded correctly. By correctly I mean I was able to view the results
in Squil, so that could be another point of failure for this. Thank you
for any help provided.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-sigs