[Snort-users] Pulledpork and proprocessor rules

Dave Corsello snort-users at ...15598...
Thu Jan 23 21:43:50 EST 2014


Hi Ed,

Thanks for your reply.  Maybe I should be more specific in what I want
to do.  I currently have rules enabled by policy.  In addition, I want
to turn on just the two reputation preprocessor rules, 1:136 and 2:136. 
I don't see a way to accomplish that with the categories that you
provided.  What am I missing?

--Dave

On 1/23/2014 3:47 PM, SnortFan wrote:
> Here is the list as best as I can tell from what's in the snort rules file. When I place them into the enablesid.conf file and pull I get the mother load of rules. I don't recommend turning them all on. 
>
> app-detect
> blacklist
> browser-chrome
> browser-firefox
> browser-ie
> browser-other
> browser-plugins
> browser-webkit
> content-replace
> decoder
> dos
> exploit-kit
> file-executable
> file-flash
> file-identify
> file-image
> file-java
> file-multimedia
> file-office
> file-other
> file-pdf
> indicator-compromise
> indicator-obfuscation
> indicator-scan
> indicator-shellcode
> malware-backdoor
> malware-cnc
> malware-other
> malware-tools
> netbios
> os-linux
> os-mobile
> os-other
> os-solaris
> os-windows
> policy-multimedia
> policy-other
> policy-social
> policy-spam
> preprocessor
> protocol-dns
> protocol-finger
> protocol-ftp
> protocol-icmp
> protocol-imap
> protocol-nntp
> protocol-pop
> protocol-rpc
> protocol-scada
> protocol-services
> protocol-snmp
> protocol-telnet
> protocol-tftp
> protocol-voip
> pua-adware
> pua-other
> pua-p2p
> pua-toolbars
> server-apache
> server-iis
> server-mail
> server-mssql
> server-mysql
> server-oracle
> server-other
> server-samba
> server-webapp
> sql
> x11
>
> Sent from a mobile device. 
>
>> On Jan 23, 2014, at 8:44 AM, SnortFan <SnortFan at ...131...> wrote:
>>
>> Hi Dave,
>>    It looks like it pulls them down and places them in the snort.rule file. I don't see where it replaces the gen-msg.map file but if you search in the snort.rules file for one of the gid's you should see them. 
>>
>> Cheers,
>> Ed
>>
>> Sent from a mobile device. 
>>
>>> On Jan 23, 2014, at 7:43 AM, Dave Corsello <snort-users at ...15598...> wrote:
>>>
>>> I thought this would be a pretty basic question, but I haven't been able
>>> to locate an answer yet.  How do you enable proproc rules in
>>> pulledpork?  I tried adding "1:136,2:136" to enablesid.conf, but it
>>> didn't work.
>>>
>>> ------------------------------------------------------------------------------
>>> CenturyLink Cloud: The Leader in Enterprise Cloud Services.
>>> Learn Why More Businesses Are Choosing CenturyLink Cloud For
>>> Critical Workloads, Development Environments & Everything In Between.
>>> Get a Quote or Start a Free Trial Today. 
>>> http://pubads.g.doubleclick.net/gampad/clk?id=119420431&iu=/4140/ostg.clktrk
>>> _______________________________________________
>>> Snort-users mailing list
>>> Snort-users at lists.sourceforge.net
>>> Go to this URL to change user options or unsubscribe:
>>> https://lists.sourceforge.net/lists/listinfo/snort-users
>>> Snort-users list archive:
>>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>>>
>>> Please visit http://blog.snort.org to stay current on all the latest Snort news!
>> ------------------------------------------------------------------------------
>> CenturyLink Cloud: The Leader in Enterprise Cloud Services.
>> Learn Why More Businesses Are Choosing CenturyLink Cloud For
>> Critical Workloads, Development Environments & Everything In Between.
>> Get a Quote or Start a Free Trial Today. 
>> http://pubads.g.doubleclick.net/gampad/clk?id=119420431&iu=/4140/ostg.clktrk
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>>
>> Please visit http://blog.snort.org to stay current on all the latest Snort news!





More information about the Snort-users mailing list