[Snort-users] Enabling Only Applicable Rules

Marcin Dulak marcin.dulak at ...11827...
Sun May 14 07:33:19 EDT 2017


Register at snort.org to obtain the free snortrules-snapshot-*.tar.gz which
contains rules divided into categories.
Then use pulledpork to select the desired category + additional rules.

For example, on CentOS7:

Pulledpork is installed with: yum -y install pulledpork

After the installation of Pulledpork:

0. mkdir -p /etc/snort/rules/iplists
1. insert your oinkcode in /etc/pulledpork/pulledpork.conf
2. disable community-rules.tar.gz in /etc/pulledpork/pulledpork.conf
3. change the order Pulledpork operations to: state_order=disable,drop,enable
in /etc/pulledpork/pulledpork.conf

Pulledpork writes the rules on CentOS by default to
/etc/snort/rules/snort.rules.
In order to create or update /etc/snort/rules/snort.rules do:

4. Disable all rules: echo pcre:. >> /etc/pulledpork/disablesid.conf
5. Enable selected categories and rules:

echo server-apache >> /etc/pulledpork/enablesid.conf
echo pcre:'OpenSSL' >> /etc/pulledpork/enablesid.conf
echo pcre:' cipher' >> /etc/pulledpork/enablesid.conf
echo pcre:'rule-type decode' >> /etc/pulledpork/enablesid.conf
echo '139:1-139:9999' >> /etc/pulledpork/enablesid.conf

6. One could replace HTTP_PORTS rules with a custom MY_HTTP_PORTS set on
top of snort.conf
echo '* "\$HOME_NET \$HTTP_PORTS " "$HOME_NET $MY_HTTP_PORTS "' >>
/etc/pulledpork/modifysid.conf

7. Here is how one could disable specific rules (this way works only for
gid:1):
echo '* ".*freakattack.*" ""' >> /etc/pulledpork/modifysid.conf
echo '* ".*sid:28205.*" ""' >> /etc/pulledpork/modifysid.conf

8. generate new /etc/snort/rules/snort.rules with: pulledpork -PE -c
/etc/pulledpork/pulledpork.conf

Marcin

On Sat, May 13, 2017 at 2:32 AM, bobby <architectofthefuture at ...11827...>
wrote:

> I am running snort, and have the community rules.
>
> If I am running the HTTP service, how do I locate the rules that I need to
> activate/that apply to me?  Do I just do a ls | grep ' HTTP ' on the
> rules?  What is the best way to do this since there are thousands and
> thousands of rule sets?  How does one go about customizing the rules to
> ones' network?
> ------------------------------------------------------------
> ------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
>



More information about the Snort-users mailing list