[Snort-users] Enabling all the rules for testing using PulledPork?

JJC cummingsj at ...11827...
Tue Feb 18 11:00:11 EST 2014


Inline

Sent from the iRoad

> On Feb 18, 2014, at 6:53, Michael Steele <michaels at ...9057...> wrote:
> 
> I have users asking why they are not seeing any alerts when they install PP, and using the 'security' setting. For testing purposes, I would like to write something up that tells the installer how to enable all the rules for testing purposes only.
> 
> So I'm adding the next line to the enablesid.conf file, and is it correct?
> 
> PCRE wildcard "."

Yes

> 
> Also does the following line in the pulledpork.conf need to be enabled, disabled, or it doesn't matter?
> 
> ips_policy=security
> 
> The above should activate all the alerts?
> 
> In the latesest rule set there are three alerts that cause Snort to fail unless they are disabled.
> 
> os-linux.rules:
> Line 23: # alert ip any any -> any any (msg:"OS-LINUX Linux kernel IGMP queries denial of service attempt"; ip_proto:igmp; content:"|11|"; depth:1; content:"|00|"; within:1; isdataat:11; reference:cve,2012-0207; classtype:denial-of-service; sid:25314; rev:2;)
> 
> server-other.rules:
> 
> Line 289: # alert ip any any -> $HOME_NET any (msg:"SERVER-OTHER Ethereal IGAP Dissector Buffer Overflow attempt"; ip_proto:igmp; content:"A"; depth:1; byte_test:1,>,64,12,relative; reference:bugtraq,9952; reference:cve,2004-0176; reference:url,secunia.com/advisories/11185; classtype:attempted-admin; sid:20747; rev:3;)
> 
> Line 290: # alert ip any any -> $HOME_NET any (msg:"SERVER-OTHER Ethereal IGAP Dissector Buffer Overflow attempt"; ip_proto:igmp; content:"A"; depth:1; byte_test:1,>,16,11,relative; reference:bugtraq,9952; reference:cve,2004-0176; reference:url,secunia.com/advisories/11185; classtype:attempted-admin; sid:20746; rev:3;)
> 
> By enabling all the alerts, what will I need to do to make sure these three rules are disabled after PP enables all the alerts.

Add their sid to disablesid.conf and make sure that disablesid runs last.

> 
> To revert back to the original 'ips_policy=security' setting: removing the line added to the 'enablesid.conf ' file, and run PP again?

Yes

> 
> Will the three disabled rules above need to be removed, or will it matter?

Doesn't matter...

> 
> Thanks...
> 
>> On Tuesday, September 24, 2013 2:55:30 PM UTC-4, JJC wrote:
>> PCRE wildcard "." In enablesid
>> 
>> Sent from the iRoad
>> 
>>> On Sep 24, 2013, at 11:07, "Michael Steele" <mich... at ...9057...> wrote:
>>> 
>>> Is there a way to easily enable all the rules using PulledPork
>>> 
>>>  
>>> 
>>> Best regards,
>>> 
>>> Michael 
>>> 
>>> -- 
>>> You received this message because you are subscribed to the Google Groups "pulledpork users" group.
>>> To unsubscribe from this group and stop receiving emails from it, send an email to pulledpork-use... at ...15441...
>>> To post to this group, send email to pulledpo... at ...15441...
>>> Visit this group at http://groups.google.com/group/pulledpork-users.
>>> For more options, visit https://groups.google.com/groups/opt_out.
> 
> -- 
> You received this message because you are subscribed to the Google Groups "pulledpork users" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to pulledpork-users+unsubscribe at ...15441...
> To post to this group, send email to pulledpork-users at ...15441...
> Visit this group at http://groups.google.com/group/pulledpork-users.
> For more options, visit https://groups.google.com/groups/opt_out.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20140218/9fa11f43/attachment.html>


More information about the Snort-users mailing list