[Snort-users] Rules and Tuning

JJ Cummings cummingsj at ...11827...
Thu Aug 16 19:03:27 EDT 2012


If you are running pulledpork then it sticks all rules in a single file by default... Dig through there and enjoy

Sent from the iRoad

On Aug 14, 2012, at 14:52, Steven Vona <savona at ...15736...> wrote:

> Thanks for the help.  But what I really need is a listing of all the rules.  We want to go through the whole list and select what we need enabled and not enabled.  Is this possible?
> 
> 
> On Tue, Aug 14, 2012 at 11:48 AM, Tony Robinson <trobinson at ...1935...> wrote:
> To expand on JJ's answer,
> 
> This depends on what ruleset you are utilizing, Steve, but at least for the VRT ruleset, there are multiple ways for you to obtain more information for a given rule. If you have the sid number/message, the actual rule (or rule stub in the case of SO rules) will usually have metadata associated with the rule -- MS vulnerability IDs, CVE numbers, as well as links to websites with more information (e.g. links to bugtraq or MS technet, virustotal, etc.)
> 
> If you don't want to dig in the .rules files, then, at least for VRT rules, snort.org has a rule search page, that, given a SID, can give you more information on a given rule
> www.snort.org/search
> 
> additionally, the downloads page has a file, opensource.gz that has rule documentation available as well.
> 
> Hope this helps,
> 
> Tony
> 
> On Mon, Aug 13, 2012 at 1:42 PM, Steven Vona <savona at ...15736...> wrote:
> Is there someplace I can get a list of rules and what they are looking for?  We are getting a ton of alerts and I would like to fine tunes which rules should be active and which rules should be disabled.  I need more information than just the name of the rule.
> 
> Thanks,
> Steve
> 
> 
> ------------------------------------------------------------------------------
> Live Security Virtual Conference
> Exclusive live event will cover all the ways today's security and
> threat landscape has changed and how IT managers can respond. Discussions
> will include endpoint security, mobile security and the latest in malware
> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 
> Please visit http://blog.snort.org to stay current on all the latest Snort news!
> 
> 
> 
> -- 
> 
> Tony Robinson
> Security Consultant I
> SourceFIRE Professional Services Division
> 
> 
> 
> 
> ------------------------------------------------------------------------------
> Live Security Virtual Conference
> Exclusive live event will cover all the ways today's security and 
> threat landscape has changed and how IT managers can respond. Discussions 
> will include endpoint security, mobile security and the latest in malware 
> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 
> Please visit http://blog.snort.org to stay current on all the latest Snort news!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20120816/34fdbaaf/attachment.html>


More information about the Snort-users mailing list