[Snort-users] Enabling Only Applicable Rules
architectofthefuture at ...11827...
Tue Jun 6 19:00:58 EDT 2017
Will all unnecessary rules be removed or commented out?
I modified the files as you mentioned in your e-mail.
I also put the words in single quotes.
I am still not having any luck.
On Tue, Jun 6, 2017 at 6:53 PM, Marcin Dulak <marcin.dulak at ...11827...> wrote:
> Please continue the discussion on snort-users.
> Are all pulledpork configuration files adjusted, especially disablesid.conf
> and pulledpork.conf?
> Try also enablesid.conf to contain pcre:'OpenSSL' instead of OpenSSL.
> In my experience pulledpork behaves often unpredictable when one hits bugs
> or untested features depending on the pulledpork version used.
> If you discover an unexpected behavior report it directly at
> https://github.com/shirkdog/pulledpork/issues stating the version used
> and all
> command used to reproduce the problem.
> On Wed, Jun 7, 2017 at 12:39 AM, bobby <architectofthefuture at ...11827...>
>> I did this, and here is what is in my enablesid.conf:
>> There are still 30k+ rules in my snort rules file, and for the most part
>> are not commented out.
>> On Sun, May 14, 2017 at 7:33 AM, Marcin Dulak <marcin.dulak at ...11827...>
>>> Register at snort.org to obtain the free snortrules-snapshot-*.tar.gz
>>> which contains rules divided into categories.
>>> Then use pulledpork to select the desired category + additional rules.
>>> For example, on CentOS7:
>>> Pulledpork is installed with: yum -y install pulledpork
>>> After the installation of Pulledpork:
>>> 0. mkdir -p /etc/snort/rules/iplists
>>> 1. insert your oinkcode in /etc/pulledpork/pulledpork.conf
>>> 2. disable community-rules.tar.gz in /etc/pulledpork/pulledpork.conf
>>> 3. change the order Pulledpork operations to:
>>> state_order=disable,drop,enable in /etc/pulledpork/pulledpork.conf
>>> Pulledpork writes the rules on CentOS by default to
>>> In order to create or update /etc/snort/rules/snort.rules do:
>>> 4. Disable all rules: echo pcre:. >> /etc/pulledpork/disablesid.conf
>>> 5. Enable selected categories and rules:
>>> echo server-apache >> /etc/pulledpork/enablesid.conf
>>> echo pcre:'OpenSSL' >> /etc/pulledpork/enablesid.conf
>>> echo pcre:' cipher' >> /etc/pulledpork/enablesid.conf
>>> echo pcre:'rule-type decode' >> /etc/pulledpork/enablesid.conf
>>> echo '139:1-139:9999' >> /etc/pulledpork/enablesid.conf
>>> 6. One could replace HTTP_PORTS rules with a custom MY_HTTP_PORTS set on
>>> top of snort.conf
>>> echo '* "\$HOME_NET \$HTTP_PORTS " "$HOME_NET $MY_HTTP_PORTS "' >>
>>> 7. Here is how one could disable specific rules (this way works only for
>>> echo '* ".*freakattack.*" ""' >> /etc/pulledpork/modifysid.conf
>>> echo '* ".*sid:28205.*" ""' >> /etc/pulledpork/modifysid.conf
>>> 8. generate new /etc/snort/rules/snort.rules with: pulledpork -PE -c
>>> On Sat, May 13, 2017 at 2:32 AM, bobby <architectofthefuture at ...11827...>
>>>> I am running snort, and have the community rules.
>>>> If I am running the HTTP service, how do I locate the rules that I need
>>>> activate/that apply to me? Do I just do a ls | grep ' HTTP ' on the
>>>> rules? What is the best way to do this since there are thousands and
>>>> thousands of rule sets? How does one go about customizing the rules to
>>>> ones' network?
>>>> Check out the vibrant tech community on one of the world's most
>>>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>>>> Snort-users mailing list
>>>> Snort-users at lists.sourceforge.net
>>>> Go to this URL to change user options or unsubscribe:
>>>> Snort-users list archive:
>>>> Please visit http://blog.snort.org to stay current on all the latest
>>>> Snort news!
More information about the Snort-users