[Snort-users] Disablesid.conf and classtype

Juan Camilo Valencia camilo.valencia13 at ...11827...
Fri Feb 21 11:52:16 EST 2014


Hi,

We have been doing based on CVE or category, here are some examples. I'm
not completely sure that is te most optimized but works, you can used for
your keyword:

#Regex for look Internet Explorer rules with
attempted-(admin|dos|recon|user) classtype
pcre:(?=.*\bBROWSER-IE\b)(?=.*\battempted-(admin|dos|recon|user)\b)
pcre:(?=.*\bBROWSER-IE\b)(?=.*\bmisc-(activity|attack)\b)
pcre:(?=.*\bBROWSER-IE\b)(?=.*\bweb-application-(activity|attack)\b)
#Regex to enable rules based on VRT-file-multimedia.rules and
attempted-(admin|dos|user)
pcre:(?=.*\bFILE-MULTIMEDIA\b)(?=.*\battempted-(admin|dos)\b)
pcre:(?=.*\bFILE-MULTIMEDIA\b)(?=.*\battempted-user\b)(?=.*\b(apple|adobe|
videolan.org)\b)
#Regex to enable rules in VRT-file-executable.rules based on
FILE-EXECUTABLE and attempted
#(admin|user) and misc-activity
pcre:(?=.*\bFILE-EXECUTABLE\b)(?=.*\battempted-(admin|user)\b)
pcre:(?=.*\bFILE-EXECUTABLE\b)(?=.*\bmisc-activity\b)
#Regex to enable rules on VRT-malware-cnc.rules based on MALWARE-CNC and
trojan-activity.
pcre:(?=.*\bMALWARE-CNC\b)(?=.*\btrojan-activity\b)

I hope that this help you,

Best Regards


On Fri, Feb 21, 2014 at 10:33 AM, SnortFan <SnortFan at ...131...> wrote:

> Hi All,
>     Is anyone using regular expressions in pulledpork's disablesid.conf
> file to disable rules based on the classtype: of a rule?
>
> If so can you post an example?
>
> Thanks,
> Ed
>
> Sent from a mobile device.
>
> ------------------------------------------------------------------------------
> Managing the Performance of Cloud-Based Applications
> Take advantage of what the Cloud has to offer - Avoid Common Pitfalls.
> Read the Whitepaper.
>
> http://pubads.g.doubleclick.net/gampad/clk?id=121054471&iu=/4140/ostg.clktrk
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
>



-- 
JUAN CAMILO VALENCIA VARGAS
Ingeniero de Operaciones
SeguraTec S.A.S
Calle 11 # 43B-50 of 307
Medelllín Colombia

*"Choose a job you love, and you will never have to work a day in your
life"*
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20140221/7188f792/attachment.html>


More information about the Snort-users mailing list