[Snort-users] snort and snort-rules/ET alerts

Y M snort at ...15979...
Fri Dec 2 15:24:34 EST 2016


I meant snort.rules.

Is Snort running against live traffic or existing pcaps? You may haven't hit on traffic that Snort rules would trigger on.

YM



On Fri, Dec 2, 2016 at 11:20 PM +0300, "Y M" <snort at ...15979...<mailto:snort at ...15979...>> wrote:

This seems to be the case now I have done some quick testing. Last time I checked this was back in 2012 and have been using the policy since then.

Not specifying any policy ends up with 11308 rules enabled in snort.conf. Enabaling the balanced policy configures 9000+ rules.

YM





On Fri, Dec 2, 2016 at 11:05 PM +0300, "Joel Esler (jesler)" <jesler at ...16686......<mailto:jesler at ...589...>> wrote:

Is that intentional?  I thought the default behavior without policy specification is "as is, shipped".  If not, we should fix that (It's been awhile since I've actually used pulledpork)

--
Joel Esler | Talos: Manager | jesler at ...589...<mailto:jesler at ...589...>






On Dec 2, 2016, at 2:52 PM, Y M <snort at ...15979...<mailto:snort at ...15979...>> wrote:

The PulledPork command does not specify any rules policy (connectivity, balanced, security) to allow PulledPork enable the rules.

Try running PulledPork with -I <policy>.

Keep in mind that this may mess up your ET rules enablement since ET rules do not contain rules policy metadata.

YM





On Fri, Dec 2, 2016 at 10:47 PM +0300, "Keith Pachulski" <keith.pachulski at ...843.....17691...<mailto:keith.pachulski at ...17691...>> wrote:

Pulledpork Cronjob
0 0 * * * /home/snort/pulledpork/pulledpork.pl -c /home/snort/pulledpork/etc/pulledpork.conf

Pulledpork Config
rule_url=https://www.snort.org/rules/|snortrules-snapshot.tar.gz|<>
rule_url=http://talosintelligence.com/feeds/ip-filter.blf|IPBLACKLIST|open
ignore=deleted.rules,experimental.rules
temp_path=/tmp
rule_path=/home/snort/rules/snort.rules
local_rules=/home/snort/rules/local.rules
sid_msg=/home/snort/rules/etc/sid-msg.map
sid_msg_version=1
sid_changelog=/home/snort/rules/pullpork-sid_changes.log
sorule_path=/usr/local/lib/snort_dynamicrules/
snort_path=/usr/local/bin/snort
config_path=/home/snort/rules/snort.conf
distro=Ubuntu-12-04
black_list=/home/snort/rules/black_list.rules
IPRVersion=/home/snort/rules/iplists

This message (including any attachments) is intended only for the use of the individual or entity to which it is addressed and may contain information that is non-public, proprietary, privileged, confidential, and exempt from disclosure under applicable law or may constitute as attorney work product. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, notify us immediately by telephone and (i) destroy this message if a facsimile or (ii) delete this message immediately if this is an electronic communication.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20161202/c7c3649e/attachment.html>


More information about the Snort-users mailing list