<html><head><meta http-equiv="content-type" content="text/html; charset=utf-8"></head><body dir="auto"><div>Hi Joel,</div><div>      I'm a little confused. Are all new rules created being placed into a rule category ?  How do you pull rules bases in temporal based concerns? How do I pull rules base on CVSS score?  </div><div><br></div><div>Right now I'm pulling rules base on categoies using the enablesid.conf in pulledpork and that's probably a lot more rules than i need. </div><div><br></div><div>Thanks,</div><div>Ed<br><br><div><div>Sent from a mobile device. </div></div></div><div><br>On Feb 21, 2014, at 2:39 PM, "Joel Esler (jesler)" <<a href="mailto:jesler@...589...">jesler@...589...</a>> wrote:<br><br></div><blockquote type="cite"><div>

<meta http-equiv="Content-Type" content="text/html; charset=Windows-1252">


Perhaps a bit off topic from the original threat, but Juan’s email prompted me about the way he seems to be doing things.  
<div><br>
</div>
<div>Have you seen this?<br>
<div><br>
</div>
<div><a href="http://blog.snort.org/2013/10/snort-vrt-default-ruleset-rebalancing.html">http://blog.snort.org/2013/10/snort-vrt-default-ruleset-rebalancing.html</a></div>
<div><br>
</div>
<div><br>
</div>
<div><br>
</div>
<div><span style="font-family: 'Lucida Grande';">--</span><br>
<span style="font-family: 'Lucida Grande';"><b>Joel Esler | </b></span><span style="font-family: 'Lucida Grande';">Threat Intelligence Team Lead |</span><span style="font-family: 'Lucida Grande';"> Open Source Manager | Vulnerability Research Team</span></div>
<div><font face="Lucida Grande"><br>
</font>
<div>
<div>On Feb 21, 2014, at 11:52 AM, Juan Camilo Valencia <<a href="mailto:camilo.valencia13@...11827...">camilo.valencia13@...11827...</a>> wrote:</div>
<br class="Apple-interchange-newline">
<blockquote type="cite">
<div dir="ltr">Hi,
<div><br>
</div>
<div>We have been doing based on CVE or category, here are some examples. I'm not completely sure that is te most optimized but works, you can used for your keyword:</div>
<div><br>
</div>
<div>
<div>#Regex for look Internet Explorer rules with attempted-(admin|dos|recon|user) classtype</div>
<div>pcre:(?=.*\bBROWSER-IE\b)(?=.*\battempted-(admin|dos|recon|user)\b)</div>
<div>pcre:(?=.*\bBROWSER-IE\b)(?=.*\bmisc-(activity|attack)\b)</div>
<div>pcre:(?=.*\bBROWSER-IE\b)(?=.*\bweb-application-(activity|attack)\b)</div>
<div>#Regex to enable rules based on VRT-file-multimedia.rules and attempted-(admin|dos|user)</div>
<div>pcre:(?=.*\bFILE-MULTIMEDIA\b)(?=.*\battempted-(admin|dos)\b)</div>
<div>pcre:(?=.*\bFILE-MULTIMEDIA\b)(?=.*\battempted-user\b)(?=.*\b(apple|adobe|<a href="http://videolan.org/">videolan.org</a>)\b)</div>
<div>#Regex to enable rules in VRT-file-executable.rules based on FILE-EXECUTABLE and attempted</div>
<div>#(admin|user) and misc-activity</div>
<div>pcre:(?=.*\bFILE-EXECUTABLE\b)(?=.*\battempted-(admin|user)\b)</div>
<div>pcre:(?=.*\bFILE-EXECUTABLE\b)(?=.*\bmisc-activity\b)</div>
<div>#Regex to enable rules on VRT-malware-cnc.rules based on MALWARE-CNC and trojan-activity.</div>
<div>pcre:(?=.*\bMALWARE-CNC\b)(?=.*\btrojan-activity\b)</div>
</div>
<div><br>
</div>
<div>I hope that this help you,</div>
<div><br>
</div>
<div>Best Regards</div>
</div>
<div class="gmail_extra"><br>
<br>
<div class="gmail_quote">On Fri, Feb 21, 2014 at 10:33 AM, SnortFan <span dir="ltr">
<<a href="mailto:SnortFan@...131..." target="_blank">SnortFan@...3112......</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
Hi All,<br>
    Is anyone using regular expressions in pulledpork's disablesid.conf file to disable rules based on the classtype: of a rule?<br>
<br>
If so can you post an example?<br>
<br>
Thanks,<br>
Ed<br>
<br>
Sent from a mobile device.<br>
------------------------------------------------------------------------------<br>
Managing the Performance of Cloud-Based Applications<br>
Take advantage of what the Cloud has to offer - Avoid Common Pitfalls.<br>
Read the Whitepaper.<br>
<a href="http://pubads.g.doubleclick.net/gampad/clk?id=121054471&iu=/4140/ostg.clktrk" target="_blank">http://pubads.g.doubleclick.net/gampad/clk?id=121054471&iu=/4140/ostg.clktrk</a><br>
_______________________________________________<br>
Snort-users mailing list<br>
<a href="mailto:Snort-users@lists.sourceforge.net">Snort-users@...4626...ceforge.net</a><br>
Go to this URL to change user options or unsubscribe:<br>
<a href="https://lists.sourceforge.net/lists/listinfo/snort-users" target="_blank">https://lists.sourceforge.net/lists/listinfo/snort-users</a><br>
Snort-users list archive:<br>
<a href="http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users" target="_blank">http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users</a><br>
<br>
Please visit <a href="http://blog.snort.org/" target="_blank">http://blog.snort.org</a> to stay current on all the latest Snort news!<br>
</blockquote>
</div>
<br>
<br clear="all">
<div><br>
</div>
-- <br>
<div>JUAN CAMILO VALENCIA VARGAS<br>
Ingeniero de Operaciones</div>
<div>SeguraTec S.A.S </div>
<div>Calle 11 # 43B-50 of 307</div>
<div>Medelllín Colombia</div>
<div><br>
<b>“Choose a job you love, and you will never have to work a day in your life”</b><br>
</div>
</div>
------------------------------------------------------------------------------<br>
Managing the Performance of Cloud-Based Applications<br>
Take advantage of what the Cloud has to offer - Avoid Common Pitfalls.<br>
Read the Whitepaper.<br>
<a href="http://pubads.g.doubleclick.net/gampad/clk?id=121054471&iu=/4140/ostg.clktrk_______________________________________________">http://pubads.g.doubleclick.net/gampad/clk?id=121054471&iu=/4140/ostg.clktrk_______________________________________________</a><br>
Snort-users mailing list<br>
<a href="mailto:Snort-users@lists.sourceforge.net">Snort-users@...4626...ceforge.net</a><br>
Go to this URL to change user options or unsubscribe:<br>
<a href="https://lists.sourceforge.net/lists/listinfo/snort-users">https://lists.sourceforge.net/lists/listinfo/snort-users</a><br>
Snort-users list archive:<br>
<a href="http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users">http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users</a><br>
<br>
Please visit <a href="http://blog.snort.org">http://blog.snort.org</a> to stay current on all the latest Snort news!</blockquote>
</div>
<br>
</div>
</div>


</div></blockquote><blockquote type="cite"><div><span>------------------------------------------------------------------------------</span><br><span>Managing the Performance of Cloud-Based Applications</span><br><span>Take advantage of what the Cloud has to offer - Avoid Common Pitfalls.</span><br><span>Read the Whitepaper.</span><br><span><a href="http://pubads.g.doubleclick.net/gampad/clk?id=121054471&iu=/4140/ostg.clktrk">http://pubads.g.doubleclick.net/gampad/clk?id=121054471&iu=/4140/ostg.clktrk</a></span></div></blockquote><blockquote type="cite"><div><span>_______________________________________________</span><br><span>Snort-users mailing list</span><br><span><a href="mailto:Snort-users@lists.sourceforge.net">Snort-users@lists.sourceforge.net</a></span><br><span>Go to this URL to change user options or unsubscribe:</span><br><span><a href="https://lists.sourceforge.net/lists/listinfo/snort-users">https://lists.sourceforge.net/lists/listinfo/snort-users</a></span><br><span>Snort-users list archive:</span><br><span><a href="http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users">http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users</a></span><br><span></span><br><span>Please visit <a href="http://blog.snort.org">http://blog.snort.org</a> to stay current on all the latest Snort news!</span></div></blockquote></body></html>