[Snort-users] Disablesid.conf and classtype

SnortFan SnortFan at ...131...
Wed Feb 26 13:05:51 EST 2014


Hi Joel,
      I'm a little confused. Are all new rules created being placed into a rule category ?  How do you pull rules bases in temporal based concerns? How do I pull rules base on CVSS score?  

Right now I'm pulling rules base on categoies using the enablesid.conf in pulledpork and that's probably a lot more rules than i need. 

Thanks,
Ed

Sent from a mobile device. 

> On Feb 21, 2014, at 2:39 PM, "Joel Esler (jesler)" <jesler at ...589...> wrote:
> 
> Perhaps a bit off topic from the original threat, but Juan’s email prompted me about the way he seems to be doing things.  
> 
> Have you seen this?
> 
> http://blog.snort.org/2013/10/snort-vrt-default-ruleset-rebalancing.html
> 
> 
> 
> --
> Joel Esler | Threat Intelligence Team Lead | Open Source Manager | Vulnerability Research Team
> 
>> On Feb 21, 2014, at 11:52 AM, Juan Camilo Valencia <camilo.valencia13 at ...846....11827...> wrote:
>> 
>> Hi,
>> 
>> We have been doing based on CVE or category, here are some examples. I'm not completely sure that is te most optimized but works, you can used for your keyword:
>> 
>> #Regex for look Internet Explorer rules with attempted-(admin|dos|recon|user) classtype
>> pcre:(?=.*\bBROWSER-IE\b)(?=.*\battempted-(admin|dos|recon|user)\b)
>> pcre:(?=.*\bBROWSER-IE\b)(?=.*\bmisc-(activity|attack)\b)
>> pcre:(?=.*\bBROWSER-IE\b)(?=.*\bweb-application-(activity|attack)\b)
>> #Regex to enable rules based on VRT-file-multimedia.rules and attempted-(admin|dos|user)
>> pcre:(?=.*\bFILE-MULTIMEDIA\b)(?=.*\battempted-(admin|dos)\b)
>> pcre:(?=.*\bFILE-MULTIMEDIA\b)(?=.*\battempted-user\b)(?=.*\b(apple|adobe|videolan.org)\b)
>> #Regex to enable rules in VRT-file-executable.rules based on FILE-EXECUTABLE and attempted
>> #(admin|user) and misc-activity
>> pcre:(?=.*\bFILE-EXECUTABLE\b)(?=.*\battempted-(admin|user)\b)
>> pcre:(?=.*\bFILE-EXECUTABLE\b)(?=.*\bmisc-activity\b)
>> #Regex to enable rules on VRT-malware-cnc.rules based on MALWARE-CNC and trojan-activity.
>> pcre:(?=.*\bMALWARE-CNC\b)(?=.*\btrojan-activity\b)
>> 
>> I hope that this help you,
>> 
>> Best Regards
>> 
>> 
>>> On Fri, Feb 21, 2014 at 10:33 AM, SnortFan <SnortFan at ...131...> wrote:
>>> Hi All,
>>>     Is anyone using regular expressions in pulledpork's disablesid.conf file to disable rules based on the classtype: of a rule?
>>> 
>>> If so can you post an example?
>>> 
>>> Thanks,
>>> Ed
>>> 
>>> Sent from a mobile device.
>>> ------------------------------------------------------------------------------
>>> Managing the Performance of Cloud-Based Applications
>>> Take advantage of what the Cloud has to offer - Avoid Common Pitfalls.
>>> Read the Whitepaper.
>>> http://pubads.g.doubleclick.net/gampad/clk?id=121054471&iu=/4140/ostg.clktrk
>>> _______________________________________________
>>> Snort-users mailing list
>>> Snort-users at lists.sourceforge.net
>>> Go to this URL to change user options or unsubscribe:
>>> https://lists.sourceforge.net/lists/listinfo/snort-users
>>> Snort-users list archive:
>>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>>> 
>>> Please visit http://blog.snort.org to stay current on all the latest Snort news!
>> 
>> 
>> 
>> -- 
>> JUAN CAMILO VALENCIA VARGAS
>> Ingeniero de Operaciones
>> SeguraTec S.A.S 
>> Calle 11 # 43B-50 of 307
>> Medelllín Colombia
>> 
>> “Choose a job you love, and you will never have to work a day in your life”
>> ------------------------------------------------------------------------------
>> Managing the Performance of Cloud-Based Applications
>> Take advantage of what the Cloud has to offer - Avoid Common Pitfalls.
>> Read the Whitepaper.
>> http://pubads.g.doubleclick.net/gampad/clk?id=121054471&iu=/4140/ostg.clktrk_______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>> 
>> Please visit http://blog.snort.org to stay current on all the latest Snort news!
> 
> ------------------------------------------------------------------------------
> Managing the Performance of Cloud-Based Applications
> Take advantage of what the Cloud has to offer - Avoid Common Pitfalls.
> Read the Whitepaper.
> http://pubads.g.doubleclick.net/gampad/clk?id=121054471&iu=/4140/ostg.clktrk
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> 
> Please visit http://blog.snort.org to stay current on all the latest Snort news!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20140226/ef2888f7/attachment.html>


More information about the Snort-users mailing list