[Snort-sigs] Quickdraw IDS rule set

Adam Farber farbera at ...2420...
Tue Aug 18 11:34:25 EDT 2015


I am trying to configure the Digital Bond Quickdraw IDS rules into 
either Security Onion or just a regular Ubuntu 14.02 with Snort 
2.9.7.5.  I have

https://github.com/digitalbond/quickdraw
cloned this repository and have been in contact with Digital Bond about 
initial configuration and have run into some problems.  I was told by 
Digital Bond that the rule set from the git repository should work fine 
with all versions of Snort and not require preprocessors for rules other 
than Ethernet / IP.

With that I configured my snort.conf file to look for the quickdraw 
rules and I ran the Digital Bond test pcap files through tcpreplay and 
my Snort did not provide any alerts.  I tried running the pcap through 
Snort via the command line with the file import option and it still did 
not cause for any alerts to be triggered.  I am still talking with 
Digital Bond about if it is the rules they provided, an issue with the 
pcap files they provided, or if Snort is not interacting correctly with 
the rules provided.  I have run non-ICS pcaps through Snort and it 
responded correctly.  By correctly I mean I was able to view the results 
in Squil, so that could be another point of failure for this.  Thank you 
for any help provided.

V/r,
Adam Farber

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20150818/33ad28a3/attachment.html>


More information about the Snort-sigs mailing list