[Snort-users] How to activate all rules using PulledPork?

SnortFan SnortFan at ...131...
Mon Feb 24 12:46:43 EST 2014


Hi Michael,  
    You can have the file sit there if you'd like, you just have to have the reference uncommented and correctly defined in your pulledpork.conf. 

Here is my list:


app-detect
blacklist
browser-chrome
browser-firefox
browser-ie
browser-other
browser-plugins
browser-webkit
content-replace
decoder
dos
exploit-kit
file-executable
file-flash
file-identify
file-image
file-java
file-multimedia
file-office
file-other
file-pdf
indicator-compromise
indicator-obfuscation
indicator-scan
indicator-shellcode
malware-backdoor
malware-cnc
malware-other
malware-tools
netbios
os-linux
os-mobile
os-other
os-solaris
os-windows
policy-multimedia
policy-other
policy-social
policy-spam
preprocessor
protocol-dns
protocol-finger
protocol-ftp
protocol-icmp
protocol-imap
protocol-nntp
protocol-pop
protocol-rpc
protocol-scada
protocol-services
protocol-snmp
protocol-telnet
protocol-tftp
protocol-voip
pua-adware
pua-other
pua-p2p
pua-toolbars
server-apache
server-iis
server-mail
server-mssql
server-mysql
server-oracle
server-other
server-samba
server-webapp
sql
x11


If you want you can disable by placing a # in front of any line. So #x11 would disable pulledpork from enabling the x11 rules. 

Note:  the category is not the same a class type.  I've seen multiple class types lumped into a catagory. 

Before you add them and do a pull, do a line count of uncommented lines in your snort.rules file. Then do the same after. 

Enjoy,
Ed 

Sent from a mobile device. 

> On Feb 23, 2014, at 8:11 PM, "Michael Steele" <michaels at ...9077...> wrote:
> 
> All I do is add the attached enablesid.conf to the pulledpork/etc folder?
>  
> Is the list correct format?
>  
> Michael...
>  
> From: SnortFan [mailto:SnortFan at ...131...] 
> Sent: Thursday, February 20, 2014 7:29 PM
> To: Michael Steele
> Cc: <snort-users at lists.sourceforge.net>
> Subject: Re: [Snort-users] How to activate all rules using PulledPork?
>  
> If your talking about all those commented out rules that pulled pork leaves in the snort.rules file, try adding the snort rules categories in the enablesid file.  
>  
> If you need a list of the categories, their names are in the snort.rules file or I can find it in one of my emails to the forum.
>  
> Cheers,
> Ed
> 
> Sent from a mobile device. 
> 
> On Feb 20, 2014, at 2:14 PM, "Michael Steele" <michaels at ...9077...> wrote:
> 
> I've been trying to get PulledPork to enable all rules, and so far all help has stalled in the PulledPork Google Groups.
>  
> I'm told by JJ that it is possible, and he has instructed me to add add <PCRE wildcard "."> (everything between the <>) to the enablesid.conf, and all the alerts would be activated.
>  
> I’m having no problems processing rules any one of the three IP_Policy settings
>  
> Hopefully someone has a solution to this?
>  
> Here is my pulledpork.conf:
>  
> # Config file for pulledpork
> rule_url=https://www.snort.org/reg-rules/|snortrules-snapshot.tar.gz|<REDACTED>
> rule_url=https://s3.amazonaws.com/snort-org/www/rules/community/|community-rules.tar.gz|Community
> rule_url=http://labs.snort.org/feeds/ip-filter.blf|IPBLACKLIST|open
> rule_url=https://www.snort.org/reg-rules/|opensource.gz|<REDACTED>
> temp_path=d:\winids\pulledpork\temp
> rule_path=d:\winids\snort\rules\winids.rules
> local_rules=d:\winids\snort\rules\local.rules
> sid_msg=d:\winids\snort\etc\sid-msg.map
> sid_msg_version=1
> sid_changelog=d:\winids\snort\log\sid_changes.log
> sorule_path=/usr/local/lib/snort_dynamicrules/
> snort_path=/usr/local/bin/snort
> config_path=/usr/local/etc/snort/snort.conf
> distro=FreeBSD-8.1
> docs=d:\winids\Apache24\htdocs\base\signatures\
> snort_version=2.9.5.6
> enablesid=d:\winids\pulledpork\etc\enablesid.conf
> dropsid=d:\winids\pulledpork\etc\dropsid.conf
> disablesid=d:\winids\pulledpork\etc\disablesid.conf
> modifysid=d:\winids\pulledpork\etc\modifysid.conf
> ips_policy=security
> version=0.7.0
>  
>  
> Here is my enablesid.conf:
>  
> # example enablesid.conf v3.1
> PCRE wildcard "."
>  
> Here is my run line:
>  
> pulledpork.pl -c d:\winids\pulledpork\etc\pulledpork.conf -vT
>  
> TIA...
> Michael...
> ------------------------------------------------------------------------------
> Managing the Performance of Cloud-Based Applications
> Take advantage of what the Cloud has to offer - Avoid Common Pitfalls.
> Read the Whitepaper.
> http://pubads.g.doubleclick.net/gampad/clk?id=121054471&iu=/4140/ostg.clktrk
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> 
> Please visit http://blog.snort.org to stay current on all the latest Snort news!
> <enablesid.conf>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20140224/fb4ffc56/attachment.html>


More information about the Snort-users mailing list