[Snort-users] Disablesid.conf and classtype

SnortFan SnortFan at ...131...
Wed Feb 26 13:30:41 EST 2014


Hi Joel,  
    I think I may have found it.  In the pulledpork.conf. I can set the ips_policy.  That will set for me the rule policy category mentioned in the article. I could then go back to my enablesid.conf and turn only only the categories not included in the ips_policy. 

So for example: if I set the ips policy to security and them add the VoIP catagory in my enablesid.conf, I will get:

CVSS score 8 or greater
Age current back 3 years
Rule categories:
Malware-cnc
Blacklist
SQL injection
Exploit kit
App-detect
VoIP 

I'm I on track?  Also for the VoIP,
Since it's an add on would it activate rules over the age setting older than the policy?

Thanks,
Ed

Sent from a mobile device. 

> On Feb 26, 2014, at 1:05 PM, SnortFan <SnortFan at ...131...> wrote:
> 
> Hi Joel,
>       I'm a little confused. Are all new rules created being placed into a rule category ?  How do you pull rules bases in temporal based concerns? How do I pull rules base on CVSS score?  
> 
> Right now I'm pulling rules base on categoies using the enablesid.conf in pulledpork and that's probably a lot more rules than i need. 
> 
> Thanks,
> Ed
> 
> Sent from a mobile device. 
> 
>> On Feb 21, 2014, at 2:39 PM, "Joel Esler (jesler)" <jesler at ...589...> wrote:
>> 
>> Perhaps a bit off topic from the original threat, but Juan’s email prompted me about the way he seems to be doing things.  
>> 
>> Have you seen this?
>> 
>> http://blog.snort.org/2013/10/snort-vrt-default-ruleset-rebalancing.html
>> 
>> 
>> 
>> --
>> Joel Esler | Threat Intelligence Team Lead | Open Source Manager | Vulnerability Research Team
>> 
>>> On Feb 21, 2014, at 11:52 AM, Juan Camilo Valencia <camilo.valencia13 at ...843.....11827...> wrote:
>>> 
>>> Hi,
>>> 
>>> We have been doing based on CVE or category, here are some examples. I'm not completely sure that is te most optimized but works, you can used for your keyword:
>>> 
>>> #Regex for look Internet Explorer rules with attempted-(admin|dos|recon|user) classtype
>>> pcre:(?=.*\bBROWSER-IE\b)(?=.*\battempted-(admin|dos|recon|user)\b)
>>> pcre:(?=.*\bBROWSER-IE\b)(?=.*\bmisc-(activity|attack)\b)
>>> pcre:(?=.*\bBROWSER-IE\b)(?=.*\bweb-application-(activity|attack)\b)
>>> #Regex to enable rules based on VRT-file-multimedia.rules and attempted-(admin|dos|user)
>>> pcre:(?=.*\bFILE-MULTIMEDIA\b)(?=.*\battempted-(admin|dos)\b)
>>> pcre:(?=.*\bFILE-MULTIMEDIA\b)(?=.*\battempted-user\b)(?=.*\b(apple|adobe|videolan.org)\b)
>>> #Regex to enable rules in VRT-file-executable.rules based on FILE-EXECUTABLE and attempted
>>> #(admin|user) and misc-activity
>>> pcre:(?=.*\bFILE-EXECUTABLE\b)(?=.*\battempted-(admin|user)\b)
>>> pcre:(?=.*\bFILE-EXECUTABLE\b)(?=.*\bmisc-activity\b)
>>> #Regex to enable rules on VRT-malware-cnc.rules based on MALWARE-CNC and trojan-activity.
>>> pcre:(?=.*\bMALWARE-CNC\b)(?=.*\btrojan-activity\b)
>>> 
>>> I hope that this help you,
>>> 
>>> Best Regards
>>> 
>>> 
>>>> On Fri, Feb 21, 2014 at 10:33 AM, SnortFan <SnortFan at ...131...> wrote:
>>>> Hi All,
>>>>     Is anyone using regular expressions in pulledpork's disablesid.conf file to disable rules based on the classtype: of a rule?
>>>> 
>>>> If so can you post an example?
>>>> 
>>>> Thanks,
>>>> Ed
>>>> 
>>>> Sent from a mobile device.
>>>> ------------------------------------------------------------------------------
>>>> Managing the Performance of Cloud-Based Applications
>>>> Take advantage of what the Cloud has to offer - Avoid Common Pitfalls.
>>>> Read the Whitepaper.
>>>> http://pubads.g.doubleclick.net/gampad/clk?id=121054471&iu=/4140/ostg.clktrk
>>>> _______________________________________________
>>>> Snort-users mailing list
>>>> Snort-users at lists.sourceforge.net
>>>> Go to this URL to change user options or unsubscribe:
>>>> https://lists.sourceforge.net/lists/listinfo/snort-users
>>>> Snort-users list archive:
>>>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>>>> 
>>>> Please visit http://blog.snort.org to stay current on all the latest Snort news!
>>> 
>>> 
>>> 
>>> -- 
>>> JUAN CAMILO VALENCIA VARGAS
>>> Ingeniero de Operaciones
>>> SeguraTec S.A.S 
>>> Calle 11 # 43B-50 of 307
>>> Medelllín Colombia
>>> 
>>> “Choose a job you love, and you will never have to work a day in your life”
>>> ------------------------------------------------------------------------------
>>> Managing the Performance of Cloud-Based Applications
>>> Take advantage of what the Cloud has to offer - Avoid Common Pitfalls.
>>> Read the Whitepaper.
>>> http://pubads.g.doubleclick.net/gampad/clk?id=121054471&iu=/4140/ostg.clktrk_______________________________________________
>>> Snort-users mailing list
>>> Snort-users at lists.sourceforge.net
>>> Go to this URL to change user options or unsubscribe:
>>> https://lists.sourceforge.net/lists/listinfo/snort-users
>>> Snort-users list archive:
>>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>>> 
>>> Please visit http://blog.snort.org to stay current on all the latest Snort news!
>> 
>> ------------------------------------------------------------------------------
>> Managing the Performance of Cloud-Based Applications
>> Take advantage of what the Cloud has to offer - Avoid Common Pitfalls.
>> Read the Whitepaper.
>> http://pubads.g.doubleclick.net/gampad/clk?id=121054471&iu=/4140/ostg.clktrk
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>> 
>> Please visit http://blog.snort.org to stay current on all the latest Snort news!
> ------------------------------------------------------------------------------
> Flow-based real-time traffic analytics software. Cisco certified tool.
> Monitor traffic, SLAs, QoS, Medianet, WAAS etc. with NetFlow Analyzer
> Customize your own dashboards, set traffic alerts and generate reports.
> Network behavioral analysis & security monitoring. All-in-one tool.
> http://pubads.g.doubleclick.net/gampad/clk?id=126839071&iu=/4140/ostg.clktrk
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> 
> Please visit http://blog.snort.org to stay current on all the latest Snort news!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20140226/a45ecf2f/attachment.html>


More information about the Snort-users mailing list