[Snort-users] Modifying Rules Works One Direction, but Not T'Other

Doug Burks doug.burks at ...11827...
Sat Nov 29 14:58:38 EST 2014


Replies inline.

On Sat, Nov 29, 2014 at 2:51 PM, colony.three
<colony.three at ...17037...> wrote:
> On Sat, Nov 29, 2014 at 2:09 PM, colony.three
> wrote:
>>> I've found that the current SecurityOnion has some serious problems. It
>>> does not even -define-:
>>> EXTERNAL_NET
>>> HOME_NET
>>> HTTP_PORTS
>>> ... for some reason.
>
>> Security Onion does indeed define those variables. Are you sure
> you're looking at the right file? Are you sure you ran through Setup
> properly? Are you sure you followed our Installation guide?
> https://code.google.com/p/security-onion/wiki/Installation
>
> I set it up in accord with the page you reference, and your videos, which
> are very helpful.
>
> I know these are not defined because of the weird behavior I was getting in
> modifying rules, and by inserting in rule-update many instances of:
> echo EXTERNAL_NET=$EXTERNAL_NET
> echo HOME_NET=$HOME_NET
> echo HTTP_PORTS=$HTTP_PORTS
>
> ... all blank.

These variables are not defined in the bash environment and that's why
your tests are showing up blank.  These variables are defined in your
snort.conf file.  Please see /etc/nsm/HOSTNAME-INTERFACE/snort.conf.

>>> And these are mandatory for the GPL Emerging Threats
>>> rules.
>>>
>>> I can't report the problems because SO requires G**gle Groups, and I'm
>>> not
>>> signing up for that.
>
>> Any particular reason why? You could always create a Google account
> just for Google Groups.
>
> I've never trusted G**gle for anything, anyway, anyhow.  It's the greatest
> data-mining operation in the history of the world, and the masses blithely
> hand over all their searches (which tell much about them), their contacts,
> their networks of friends and coworkers, and their very locations at all
> times as well as voice phone calls.  Apple is no better.  Someday people
> will start to realize that their life history follows them -forever-... like
> the proverbial 'school permanent record'.  Times they were bullied, all the
> stupid things they've said and written, will be accessible to every future
> employer, romantic engagement, neighbors, rivals, and police when the
> definition of 'what is wrong' changes.  Think it's not accessible?  I've
> seen it.
>
> I just don't use G**gle.

You should also be able to use our Google Group as a standard mailing
list just like this Snort mailing list.  Send email to
security-onion at ...14071... from your existing non-Google email
account you're using here.  You'll receive replies at the same
non-Google email account.  At that point, it's really no different
than using this Snort mailing list.

>>> Further, it's looking like the GPL Emerging Threats rules may not be
>>> well-written, which are installed by SecurityOnion.
>>> What is going on with that?
>
>> Security Onion allows you to choose Sourcefire VRT or Emerging Threats.
>
> I need to somehow research the rulesets that are available.  I'm getting a
> clear implication from a Snort developer that the ET rulebase is poorly
> written.  Trying to get more info now.

Again, Security Onion allows you to choose either Sourcefire VRT or
Emerging Threats.  It's your choice.

-- 
Doug Burks
Need Security Onion Training or Commercial Support?
http://securityonionsolutions.com
Last day to register for 3-Day Training Class in Augusta GA is 12/11!




More information about the Snort-users mailing list