Snort mailing list archives
Pulled Pork Not Enableing ET Rules
From: "Gibson, Nathan J. (HSC)" <Nathan-Gibson () ouhsc edu>
Date: Fri, 20 May 2011 14:06:51 -0500
I need some help. I noticed recently that PP is not enabling my ET rule sets and for the life of me I can figure out why. Config details are below. PP verbose output attached and rules file attached. Any help would be greatly appreciated. #############Enablesid.conf ..... # The modifications in this file are for sample/example purposes only and # should not actively be used, you need to modify this file to fit your # environment. emerging-trojan emerging-virus emerging-worm emerging-dos emerging-exploit emerging-p2p emerging-botcc emerging-scan emerging-web_server emerging-sql emerging-dshield pop3 backdoor preprocessor bad-traffic blacklist botnet-cnc.rules ddos dos exploit p2p specific-threats virus web-attacks scan sql ~ ##########Diablesid.conf ..... # The modifications in this file are for sample/example purposes only and # should not actively be used, you need to modify this file to fit your # environment. decoder web-cgi sensitive-data icmp pop2 voip imap info rpc web-activex rservices chat scada content-replace misc web-client multimedia shellcode web-coldfusion mysql smtp web-frontpage dns netbios snmp web-iis nntp web-misc experimental spyware-put web-php exploit oracle x11 finger other-ids telnet ftp tftp icmp-info policy emerging-ftp emerging-policy emerging-games emerging-pop3 emerging-user_agents emerging-activex emerging-rpc emerging-attack_response emerging-icmp emerging-scada emerging-voip emerging-chat emerging-icmp_info emerging-shellcode emerging-web_client emerging-imap emerging-current_events emerging-inappropriate emerging-smtp emerging-web_specific_apps emerging-deleted emerging-snmp emerging-dns emerging-misc emerging-netbios emerging-telnet emerging-exploit emerging-tftp emerging-mobile_malware emerging-botcc-BLOCK emerging-compromised emerging-compromised-BLOCK emerging-drop emerging-drop-BLOCK emerging-dshield-BLOCK emerging-rbn emerging-rbn-BLOCK emerging-tor emerging-tor-BLOCK emerging-ciarmy #######Pulledpork,conf ....... # i.e. url|tarball|123456789, rule_url=https://www.snort.org/reg-rules/|snortrules-snapshot.tar.gz|XXXXXXXXXXXX # get the rule docs! #rule_url=https://www.snort.org/reg-rules/|opensource.gz|dfb287e63552fa1f536f338ea2d0e10b0395c8ea rule_url=https://rules.emergingthreats.net/|emerging.rules.tar.gz|open ........ # disablesid and dropsid functions. An example use case here would be to # disable an entire category and later enable only a rule or two out of it. # the valid values are disable, drop, and enable. state_order=enable,disable,drop ............ # Here you can specify what rule modification files to run automatically. # simply uncomment and specify the apt path. enablesid=/etc/snort/enablesid.conf # dropsid=/etc/snort/dropsid.conf disablesid=/etc/snort/disablesid.conf modifysid=/etc/snort/modifysid.conf # What is the base ruleset that you want to use, please uncomment to use # and see the README.RULESETS for a description of the options. # Note that setting this value will disable all ET rulesets if you are # Running such rulesets # ips_policy=security GIBBY _____________________________ Nathan J. Gibson, MsIA, CISSP, CISM,CCNA, MCSA IT Architect Infrastructure Services The University of Oklahoma HSC voice: 405.271.2644 x50340 fax: 405.271.2181 Feedback? Email comments to Chris Hodges<mailto:chris-hodges () ouhsc edu?subject=Heads%20up%20about%20Gibby> -------------------------- CONFIDENTIALITY NOTICE: This e-mail communication and any attachments may contain confidential and privileged information for the use of the designated recipients named above. If you are not the intended recipient, you are hereby notified that you have received this communication in error and that any review, disclosure, dissemination, distribution or copying of it or its contents is prohibited. If you have received this communication in error, please destroy all copies of this communication and any attachments.
Attachment:
snort.rules
Description: snort.rules
Attachment:
pp-out.log
Description: pp-out.log
------------------------------------------------------------------------------ What Every C/C++ and Fortran developer Should Know! Read this article and learn how Intel has extended the reach of its next-generation tools to help Windows* and Linux* C/C++ and Fortran developers boost performance applications - including clusters. http://p.sf.net/sfu/intel-dev2devmay
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Pulled Pork Not Enableing ET Rules Gibson, Nathan J. (HSC) (May 20)
- Pulled Pork Not Enableing ET Rules Gibson, Nathan J. (HSC) (May 20)
- Re: Pulled Pork Not Enableing ET Rules Eoin Miller (May 20)
- Re: Pulled Pork Not Enableing ET Rules JJC (May 20)
- Re: Pulled Pork Not Enableing ET Rules Eoin Miller (May 20)
- Re: Pulled Pork Not Enableing ET Rules Gibson, Nathan J. (HSC) (May 20)
- Re: Pulled Pork Not Enableing ET Rules Gibson, Nathan J. (HSC) (May 20)
- Re: Pulled Pork Not Enableing ET Rules Gibson, Nathan J. (HSC) (May 20)
- Re: Pulled Pork Not Enableing ET Rules Eoin Miller (May 20)
- Pulled Pork Not Enableing ET Rules Gibson, Nathan J. (HSC) (May 20)