[Snort-users] Enabling Only Applicable Rules

Marcin Dulak marcin.dulak at ...11827...
Tue Jun 6 18:53:27 EDT 2017


Hello,

Please continue the discussion on snort-users.
Are all pulledpork configuration files adjusted, especially disablesid.conf
and pulledpork.conf?
Try also enablesid.conf to contain pcre:'OpenSSL' instead of OpenSSL.
In my experience pulledpork behaves often unpredictable when one hits bugs
or untested features depending on the pulledpork version used.
If you discover an unexpected behavior report it directly at
https://github.com/shirkdog/pulledpork/issues stating the version used and
all
command used to reproduce the problem.

Marcin

On Wed, Jun 7, 2017 at 12:39 AM, bobby <architectofthefuture at ...11827...>
wrote:

> I did this, and here is what is in my enablesid.conf:
>
> server-apache
> OpenSSL
>
> There are still 30k+ rules in my snort rules file, and for the most part
> are not commented out.
>
> On Sun, May 14, 2017 at 7:33 AM, Marcin Dulak <marcin.dulak at ...11827...>
> wrote:
>
>> Register at snort.org to obtain the free snortrules-snapshot-*.tar.gz
>> which contains rules divided into categories.
>> Then use pulledpork to select the desired category + additional rules.
>>
>> For example, on CentOS7:
>>
>> Pulledpork is installed with: yum -y install pulledpork
>>
>> After the installation of Pulledpork:
>>
>> 0. mkdir -p /etc/snort/rules/iplists
>> 1. insert your oinkcode in /etc/pulledpork/pulledpork.conf
>> 2. disable community-rules.tar.gz in /etc/pulledpork/pulledpork.conf
>> 3. change the order Pulledpork operations to:
>> state_order=disable,drop,enable in /etc/pulledpork/pulledpork.conf
>>
>> Pulledpork writes the rules on CentOS by default to
>> /etc/snort/rules/snort.rules.
>> In order to create or update /etc/snort/rules/snort.rules do:
>>
>> 4. Disable all rules: echo pcre:. >> /etc/pulledpork/disablesid.conf
>> 5. Enable selected categories and rules:
>>
>> echo server-apache >> /etc/pulledpork/enablesid.conf
>> echo pcre:'OpenSSL' >> /etc/pulledpork/enablesid.conf
>> echo pcre:' cipher' >> /etc/pulledpork/enablesid.conf
>> echo pcre:'rule-type decode' >> /etc/pulledpork/enablesid.conf
>> echo '139:1-139:9999' >> /etc/pulledpork/enablesid.conf
>>
>> 6. One could replace HTTP_PORTS rules with a custom MY_HTTP_PORTS set on
>> top of snort.conf
>> echo '* "\$HOME_NET \$HTTP_PORTS " "$HOME_NET $MY_HTTP_PORTS "' >>
>> /etc/pulledpork/modifysid.conf
>>
>> 7. Here is how one could disable specific rules (this way works only for
>> gid:1):
>> echo '* ".*freakattack.*" ""' >> /etc/pulledpork/modifysid.conf
>> echo '* ".*sid:28205.*" ""' >> /etc/pulledpork/modifysid.conf
>>
>> 8. generate new /etc/snort/rules/snort.rules with: pulledpork -PE -c
>> /etc/pulledpork/pulledpork.conf
>>
>> Marcin
>>
>> On Sat, May 13, 2017 at 2:32 AM, bobby <architectofthefuture at ...11827...>
>> wrote:
>>
>>> I am running snort, and have the community rules.
>>>
>>> If I am running the HTTP service, how do I locate the rules that I need
>>> to
>>> activate/that apply to me?  Do I just do a ls | grep ' HTTP ' on the
>>> rules?  What is the best way to do this since there are thousands and
>>> thousands of rule sets?  How does one go about customizing the rules to
>>> ones' network?
>>> ------------------------------------------------------------
>>> ------------------
>>> Check out the vibrant tech community on one of the world's most
>>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>>> _______________________________________________
>>> Snort-users mailing list
>>> Snort-users at lists.sourceforge.net
>>> Go to this URL to change user options or unsubscribe:
>>> https://lists.sourceforge.net/lists/listinfo/snort-users
>>> Snort-users list archive:
>>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>>>
>>> Please visit http://blog.snort.org to stay current on all the latest
>>> Snort news!
>>>
>>
>>
>



More information about the Snort-users mailing list