[Snort-users] Disablesid.conf and classtype

Joel Esler (jesler) jesler at ...589...
Wed Feb 26 14:18:00 EST 2014


On Feb 26, 2014, at 10:30 AM, SnortFan <SnortFan at ...131...<mailto:SnortFan at ...131...>> wrote:

Hi Joel,
    I think I may have found it.  In the pulledpork.conf. I can set the ips_policy.  That will set for me the rule policy category mentioned in the article. I could then go back to my enablesid.conf and turn only only the categories not included in the ips_policy.

Bingo.

So for example: if I set the ips policy to security and them add the VoIP catagory in my enablesid.conf, I will get:

CVSS score 8 or greater
Age current back 3 years
Rule categories:
Malware-cnc
Blacklist
SQL injection
Exploit kit
App-detect
VoIP

I'm I on track?

Yes.

Also for the VoIP,
Since it's an add on would it activate rules over the age setting older than the policy?

Yes.  You can turn on whatever you want.  That overrides our settings.  We just ship things in this fashion based upon the criteria.  You should always adjust your policy to your local network.


--
Joel Esler | Threat Intelligence Team Lead | Open Source Manager | Vulnerability Research Team



Thanks,
Ed

Sent from a mobile device.

On Feb 26, 2014, at 1:05 PM, SnortFan <SnortFan at ...131...<mailto:SnortFan at ...843.....131...>> wrote:

Hi Joel,
      I'm a little confused. Are all new rules created being placed into a rule category ?  How do you pull rules bases in temporal based concerns? How do I pull rules base on CVSS score?

Right now I'm pulling rules base on categoies using the enablesid.conf in pulledpork and that's probably a lot more rules than i need.

Thanks,
Ed

Sent from a mobile device.

On Feb 21, 2014, at 2:39 PM, "Joel Esler (jesler)" <jesler at ...589...<mailto:jesler at ...589...>> wrote:

Perhaps a bit off topic from the original threat, but Juan’s email prompted me about the way he seems to be doing things.

Have you seen this?

http://blog.snort.org/2013/10/snort-vrt-default-ruleset-rebalancing.html



--
Joel Esler | Threat Intelligence Team Lead | Open Source Manager | Vulnerability Research Team

On Feb 21, 2014, at 11:52 AM, Juan Camilo Valencia <camilo.valencia13 at ...5119...827...<mailto:camilo.valencia13 at ...11827...>> wrote:

Hi,

We have been doing based on CVE or category, here are some examples. I'm not completely sure that is te most optimized but works, you can used for your keyword:

#Regex for look Internet Explorer rules with attempted-(admin|dos|recon|user) classtype
pcre:(?=.*\bBROWSER-IE\b)(?=.*\battempted-(admin|dos|recon|user)\b)
pcre:(?=.*\bBROWSER-IE\b)(?=.*\bmisc-(activity|attack)\b)
pcre:(?=.*\bBROWSER-IE\b)(?=.*\bweb-application-(activity|attack)\b)
#Regex to enable rules based on VRT-file-multimedia.rules and attempted-(admin|dos|user)
pcre:(?=.*\bFILE-MULTIMEDIA\b)(?=.*\battempted-(admin|dos)\b)
pcre:(?=.*\bFILE-MULTIMEDIA\b)(?=.*\battempted-user\b)(?=.*\b(apple|adobe|videolan.org<http://videolan.org/>)\b)
#Regex to enable rules in VRT-file-executable.rules based on FILE-EXECUTABLE and attempted
#(admin|user) and misc-activity
pcre:(?=.*\bFILE-EXECUTABLE\b)(?=.*\battempted-(admin|user)\b)
pcre:(?=.*\bFILE-EXECUTABLE\b)(?=.*\bmisc-activity\b)
#Regex to enable rules on VRT-malware-cnc.rules based on MALWARE-CNC and trojan-activity.
pcre:(?=.*\bMALWARE-CNC\b)(?=.*\btrojan-activity\b)

I hope that this help you,

Best Regards


On Fri, Feb 21, 2014 at 10:33 AM, SnortFan <SnortFan at ...131...<mailto:SnortFan at ...131...>> wrote:
Hi All,
    Is anyone using regular expressions in pulledpork's disablesid.conf file to disable rules based on the classtype: of a rule?

If so can you post an example?

Thanks,
Ed

Sent from a mobile device.
------------------------------------------------------------------------------
Managing the Performance of Cloud-Based Applications
Take advantage of what the Cloud has to offer - Avoid Common Pitfalls.
Read the Whitepaper.
http://pubads.g.doubleclick.net/gampad/clk?id=121054471&iu=/4140/ostg.clktrk
_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net<mailto:Snort-users at lists.sourceforge.net>
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org<http://blog.snort.org/> to stay current on all the latest Snort news!



--
JUAN CAMILO VALENCIA VARGAS
Ingeniero de Operaciones
SeguraTec S.A.S
Calle 11 # 43B-50 of 307
Medelllín Colombia

“Choose a job you love, and you will never have to work a day in your life”
------------------------------------------------------------------------------
Managing the Performance of Cloud-Based Applications
Take advantage of what the Cloud has to offer - Avoid Common Pitfalls.
Read the Whitepaper.
http://pubads.g.doubleclick.net/gampad/clk?id=121054471&iu=/4140/ostg.clktrk_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net<mailto:Snort-users at lists.sourceforge.net>
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org<http://blog.snort.org/> to stay current on all the latest Snort news!

------------------------------------------------------------------------------
Managing the Performance of Cloud-Based Applications
Take advantage of what the Cloud has to offer - Avoid Common Pitfalls.
Read the Whitepaper.
http://pubads.g.doubleclick.net/gampad/clk?id=121054471&iu=/4140/ostg.clktrk
_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net<mailto:Snort-users at lists.sourceforge.net>
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org<http://blog.snort.org/> to stay current on all the latest Snort news!
------------------------------------------------------------------------------
Flow-based real-time traffic analytics software. Cisco certified tool.
Monitor traffic, SLAs, QoS, Medianet, WAAS etc. with NetFlow Analyzer
Customize your own dashboards, set traffic alerts and generate reports.
Network behavioral analysis & security monitoring. All-in-one tool.
http://pubads.g.doubleclick.net/gampad/clk?id=126839071&iu=/4140/ostg.clktrk
_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net<mailto:Snort-users at lists.sourceforge.net>
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org<http://blog.snort.org/> to stay current on all the latest Snort news!

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20140226/1ca1a45c/attachment.html>


More information about the Snort-users mailing list