[Snort-users] disablesid.conf Issue (was Syntax for "ignore=" in Pulledpork)

Stark, Vernon L. Vernon.Stark at ...383...
Thu Nov 14 09:56:22 EST 2013


Thanks for the help YM.

Unfortunately, I'm not getting 100% success when using disablesid.conf.  I tried various additions to disablesid.conf (ET-chat, emerging-chat.rules, emerging-chat, and ET-chat.rules) and  get the best results when I include the following line in disablesid.conf:

ET-chat

This still leaves 9 active ET chat rules in snort.rules:

# cat snort.rules | grep "ET CHAT"  | wc -l
9
The sids of these chat rules show that they come from the emerging chat.rules file.  Pulledpork does eliminate the majority of the Emerging Threat chat rules, but doesn't disable all the rules.  Has anyone else run into this issue?  Any suggestions for a fix/workaround?

In case it's relevant, I have the following line in pulledpork.conf:

state_order=disable,drop,enable

I'm only using enablesid.conf to enable a single sid.

Vern

From: Y M [mailto:snort at ...15979...]
Sent: Wednesday, November 13, 2013 12:12 PM
To: Stark, Vernon L.; snort-users
Subject: RE: [Snort-users] Syntax for "ignore=" in Pulledpork

Hi,

You need to define the rules/categories you want to ignore/disable in the "disbalesid.conf" file. Edit the same file and add:

emerging-chat.rules

The comments/documentation inside the "disbalesid.conf" file should be sufficient to get you going. I am not sure of the "ignore" within the "pulledpork.conf" will operate on ET rules. Someone else can jump in and comment in this regard.

Hope this helps.
YM
________________________________
From: Vernon.Stark at ...383...<mailto:Vernon.Stark at ...383...>
To: snort-users at lists.sourceforge.net<mailto:snort-users at ...3783...net>
Date: Wed, 13 Nov 2013 12:01:36 -0500
Subject: [Snort-users] Syntax for "ignore=" in Pulledpork
What syntax is required with the "ignore=" line in Pulledpork (0.7.0) when ignoring selected Emerging Threats rules?  For example, if one wants to ignore chat.rules from the Emerging Rules set, what syntax is required?  I tried all of the following and yet "ET CHAT" rules still end up in snort.rules in the enabled state.

ignore=emerging-chat.rules

ignore=ET-chat.rules

ignore=emerging-chat

ignore=ET-chat

I have recent rule downloads, so I've been using the following:

./pulledpork.pl -c pulledpork.conf -n -P -E

Vern

------------------------------------------------------------------------------ DreamFactory - Open Source REST & JSON Services for HTML5 & Native Apps OAuth, Users, Roles, SQL, NoSQL, BLOB Storage and External API Access Free app hosting. Or install the open source package on any LAMP server. Sign up and see examples for AngularJS, jQuery, Sencha Touch and Native! http://pubads.g.doubleclick.net/gampad/clk?id=63469471&iu=/4140/ostg.clktrk
_______________________________________________ Snort-users mailing list Snort-users at lists.sourceforge.net<mailto:Snort-users at lists.sourceforge.net> Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20131114/3b2452ce/attachment.html>


More information about the Snort-users mailing list