[Snort-users] Disablesid.conf and classtype

Joel Esler (jesler) jesler at ...589...
Fri Feb 21 14:39:51 EST 2014


Perhaps a bit off topic from the original threat, but Juan’s email prompted me about the way he seems to be doing things.

Have you seen this?

http://blog.snort.org/2013/10/snort-vrt-default-ruleset-rebalancing.html



--
Joel Esler | Threat Intelligence Team Lead | Open Source Manager | Vulnerability Research Team

On Feb 21, 2014, at 11:52 AM, Juan Camilo Valencia <camilo.valencia13 at ...5119...827...<mailto:camilo.valencia13 at ...11827...>> wrote:

Hi,

We have been doing based on CVE or category, here are some examples. I'm not completely sure that is te most optimized but works, you can used for your keyword:

#Regex for look Internet Explorer rules with attempted-(admin|dos|recon|user) classtype
pcre:(?=.*\bBROWSER-IE\b)(?=.*\battempted-(admin|dos|recon|user)\b)
pcre:(?=.*\bBROWSER-IE\b)(?=.*\bmisc-(activity|attack)\b)
pcre:(?=.*\bBROWSER-IE\b)(?=.*\bweb-application-(activity|attack)\b)
#Regex to enable rules based on VRT-file-multimedia.rules and attempted-(admin|dos|user)
pcre:(?=.*\bFILE-MULTIMEDIA\b)(?=.*\battempted-(admin|dos)\b)
pcre:(?=.*\bFILE-MULTIMEDIA\b)(?=.*\battempted-user\b)(?=.*\b(apple|adobe|videolan.org<http://videolan.org/>)\b)
#Regex to enable rules in VRT-file-executable.rules based on FILE-EXECUTABLE and attempted
#(admin|user) and misc-activity
pcre:(?=.*\bFILE-EXECUTABLE\b)(?=.*\battempted-(admin|user)\b)
pcre:(?=.*\bFILE-EXECUTABLE\b)(?=.*\bmisc-activity\b)
#Regex to enable rules on VRT-malware-cnc.rules based on MALWARE-CNC and trojan-activity.
pcre:(?=.*\bMALWARE-CNC\b)(?=.*\btrojan-activity\b)

I hope that this help you,

Best Regards


On Fri, Feb 21, 2014 at 10:33 AM, SnortFan <SnortFan at ...131...<mailto:SnortFan at ...131...>> wrote:
Hi All,
    Is anyone using regular expressions in pulledpork's disablesid.conf file to disable rules based on the classtype: of a rule?

If so can you post an example?

Thanks,
Ed

Sent from a mobile device.
------------------------------------------------------------------------------
Managing the Performance of Cloud-Based Applications
Take advantage of what the Cloud has to offer - Avoid Common Pitfalls.
Read the Whitepaper.
http://pubads.g.doubleclick.net/gampad/clk?id=121054471&iu=/4140/ostg.clktrk
_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net<mailto:Snort-users at lists.sourceforge.net>
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org<http://blog.snort.org/> to stay current on all the latest Snort news!



--
JUAN CAMILO VALENCIA VARGAS
Ingeniero de Operaciones
SeguraTec S.A.S
Calle 11 # 43B-50 of 307
Medelllín Colombia

“Choose a job you love, and you will never have to work a day in your life”
------------------------------------------------------------------------------
Managing the Performance of Cloud-Based Applications
Take advantage of what the Cloud has to offer - Avoid Common Pitfalls.
Read the Whitepaper.
http://pubads.g.doubleclick.net/gampad/clk?id=121054471&iu=/4140/ostg.clktrk_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20140221/8a67c519/attachment.html>


More information about the Snort-users mailing list