[Snort-users] Modifying Rules Works One Direction, but Not T'Other

Doug Burks doug.burks at ...11827...
Sat Nov 29 14:58:38 EST 2014

Replies inline.

On Sat, Nov 29, 2014 at 2:51 PM, colony.three
<colony.three at ...17037...> wrote:
> On Sat, Nov 29, 2014 at 2:09 PM, colony.three
> wrote:
>>> I've found that the current SecurityOnion has some serious problems. It
>>> does not even -define-:
>>> ... for some reason.
>> Security Onion does indeed define those variables. Are you sure
> you're looking at the right file? Are you sure you ran through Setup
> properly? Are you sure you followed our Installation guide?
> https://code.google.com/p/security-onion/wiki/Installation
> I set it up in accord with the page you reference, and your videos, which
> are very helpful.
> I know these are not defined because of the weird behavior I was getting in
> modifying rules, and by inserting in rule-update many instances of:
> ... all blank.

These variables are not defined in the bash environment and that's why
your tests are showing up blank.  These variables are defined in your
snort.conf file.  Please see /etc/nsm/HOSTNAME-INTERFACE/snort.conf.

>>> And these are mandatory for the GPL Emerging Threats
>>> rules.
>>> I can't report the problems because SO requires G**gle Groups, and I'm
>>> not
>>> signing up for that.
>> Any particular reason why? You could always create a Google account
> just for Google Groups.
> I've never trusted G**gle for anything, anyway, anyhow.  It's the greatest
> data-mining operation in the history of the world, and the masses blithely
> hand over all their searches (which tell much about them), their contacts,
> their networks of friends and coworkers, and their very locations at all
> times as well as voice phone calls.  Apple is no better.  Someday people
> will start to realize that their life history follows them -forever-... like
> the proverbial 'school permanent record'.  Times they were bullied, all the
> stupid things they've said and written, will be accessible to every future
> employer, romantic engagement, neighbors, rivals, and police when the
> definition of 'what is wrong' changes.  Think it's not accessible?  I've
> seen it.
> I just don't use G**gle.

You should also be able to use our Google Group as a standard mailing
list just like this Snort mailing list.  Send email to
security-onion at ...14071... from your existing non-Google email
account you're using here.  You'll receive replies at the same
non-Google email account.  At that point, it's really no different
than using this Snort mailing list.

>>> Further, it's looking like the GPL Emerging Threats rules may not be
>>> well-written, which are installed by SecurityOnion.
>>> What is going on with that?
>> Security Onion allows you to choose Sourcefire VRT or Emerging Threats.
> I need to somehow research the rulesets that are available.  I'm getting a
> clear implication from a Snort developer that the ET rulebase is poorly
> written.  Trying to get more info now.

Again, Security Onion allows you to choose either Sourcefire VRT or
Emerging Threats.  It's your choice.

Doug Burks
Need Security Onion Training or Commercial Support?
Last day to register for 3-Day Training Class in Augusta GA is 12/11!

More information about the Snort-users mailing list