[Snort-users] Pulledpork and proprocessor rules

SnortFan SnortFan at ...131...
Fri Jan 24 09:48:07 EST 2014


Hi Dave,
      I'm still kinda trying to figure this out as well. What you may try is modify the snort.conf to only enable the preprocessor for reputation. Comment the rest out in the snort.conf. So you would still pull down all the preprocessors with pulledpork but snort would only activate those two preprocessor rules. Warning, I'm just making an educated guess. 8-)

Joel?  Does that sound right?

Thanks,
Ed 

Sent from a mobile device. 

> On Jan 23, 2014, at 9:43 PM, Dave Corsello <snort-users at ...15598...> wrote:
> 
> Hi Ed,
> 
> Thanks for your reply.  Maybe I should be more specific in what I want
> to do.  I currently have rules enabled by policy.  In addition, I want
> to turn on just the two reputation preprocessor rules, 1:136 and 2:136. 
> I don't see a way to accomplish that with the categories that you
> provided.  What am I missing?
> 
> --Dave
> 
>> On 1/23/2014 3:47 PM, SnortFan wrote:
>> Here is the list as best as I can tell from what's in the snort rules file. When I place them into the enablesid.conf file and pull I get the mother load of rules. I don't recommend turning them all on. 
>> 
>> app-detect
>> blacklist
>> browser-chrome
>> browser-firefox
>> browser-ie
>> browser-other
>> browser-plugins
>> browser-webkit
>> content-replace
>> decoder
>> dos
>> exploit-kit
>> file-executable
>> file-flash
>> file-identify
>> file-image
>> file-java
>> file-multimedia
>> file-office
>> file-other
>> file-pdf
>> indicator-compromise
>> indicator-obfuscation
>> indicator-scan
>> indicator-shellcode
>> malware-backdoor
>> malware-cnc
>> malware-other
>> malware-tools
>> netbios
>> os-linux
>> os-mobile
>> os-other
>> os-solaris
>> os-windows
>> policy-multimedia
>> policy-other
>> policy-social
>> policy-spam
>> preprocessor
>> protocol-dns
>> protocol-finger
>> protocol-ftp
>> protocol-icmp
>> protocol-imap
>> protocol-nntp
>> protocol-pop
>> protocol-rpc
>> protocol-scada
>> protocol-services
>> protocol-snmp
>> protocol-telnet
>> protocol-tftp
>> protocol-voip
>> pua-adware
>> pua-other
>> pua-p2p
>> pua-toolbars
>> server-apache
>> server-iis
>> server-mail
>> server-mssql
>> server-mysql
>> server-oracle
>> server-other
>> server-samba
>> server-webapp
>> sql
>> x11
>> 
>> Sent from a mobile device. 
>> 
>>> On Jan 23, 2014, at 8:44 AM, SnortFan <SnortFan at ...131...> wrote:
>>> 
>>> Hi Dave,
>>>   It looks like it pulls them down and places them in the snort.rule file. I don't see where it replaces the gen-msg.map file but if you search in the snort.rules file for one of the gid's you should see them. 
>>> 
>>> Cheers,
>>> Ed
>>> 
>>> Sent from a mobile device. 
>>> 
>>>> On Jan 23, 2014, at 7:43 AM, Dave Corsello <snort-users at ...15598...> wrote:
>>>> 
>>>> I thought this would be a pretty basic question, but I haven't been able
>>>> to locate an answer yet.  How do you enable proproc rules in
>>>> pulledpork?  I tried adding "1:136,2:136" to enablesid.conf, but it
>>>> didn't work.
>>>> 
>>>> ------------------------------------------------------------------------------
>>>> CenturyLink Cloud: The Leader in Enterprise Cloud Services.
>>>> Learn Why More Businesses Are Choosing CenturyLink Cloud For
>>>> Critical Workloads, Development Environments & Everything In Between.
>>>> Get a Quote or Start a Free Trial Today. 
>>>> http://pubads.g.doubleclick.net/gampad/clk?id=119420431&iu=/4140/ostg.clktrk
>>>> _______________________________________________
>>>> Snort-users mailing list
>>>> Snort-users at lists.sourceforge.net
>>>> Go to this URL to change user options or unsubscribe:
>>>> https://lists.sourceforge.net/lists/listinfo/snort-users
>>>> Snort-users list archive:
>>>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>>>> 
>>>> Please visit http://blog.snort.org to stay current on all the latest Snort news!
>>> ------------------------------------------------------------------------------
>>> CenturyLink Cloud: The Leader in Enterprise Cloud Services.
>>> Learn Why More Businesses Are Choosing CenturyLink Cloud For
>>> Critical Workloads, Development Environments & Everything In Between.
>>> Get a Quote or Start a Free Trial Today. 
>>> http://pubads.g.doubleclick.net/gampad/clk?id=119420431&iu=/4140/ostg.clktrk
>>> _______________________________________________
>>> Snort-users mailing list
>>> Snort-users at lists.sourceforge.net
>>> Go to this URL to change user options or unsubscribe:
>>> https://lists.sourceforge.net/lists/listinfo/snort-users
>>> Snort-users list archive:
>>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>>> 
>>> Please visit http://blog.snort.org to stay current on all the latest Snort news!
> 
> 
> ------------------------------------------------------------------------------
> CenturyLink Cloud: The Leader in Enterprise Cloud Services.
> Learn Why More Businesses Are Choosing CenturyLink Cloud For
> Critical Workloads, Development Environments & Everything In Between.
> Get a Quote or Start a Free Trial Today. 
> http://pubads.g.doubleclick.net/gampad/clk?id=119420431&iu=/4140/ostg.clktrk
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> 
> Please visit http://blog.snort.org to stay current on all the latest Snort news!




More information about the Snort-users mailing list