Snort mailing list archives
Re: some question about snort rules
From: JJC <cummingsj () gmail com>
Date: Wed, 17 Aug 2011 08:13:00 -0600
You can also use the references that are listed... lookup the CVE / Bugtraq info.. also a pretty good bet that most rules that have an MSXX-XXXX reference are MSFT related.. JJC On Wed, Aug 17, 2011 at 7:21 AM, Joel Esler <jesler () sourcefire com> wrote:
Take a look at web-cgi, web-client, web-misc for apache. Windows vulnerabilities are all over the place. (Netbios, web-client, botnet-cnc, blacklist, web-misc.. etc) Incidentally, we are currently in a project to redesign the entire VRT ruleset solving the exact problem you are describing below. We should have something to announce soon over on the VRT blog http://blog.snort.org We are in the final design stages and will open it up for comments soon. Joel On Aug 17, 2011, at 7:32 AM, Zhuxian wrote:For the VRT rules, how i know which rules related to which OS, such aswindows, Suse? I have not found any attribute in the rule to indicate it is windows related or not.And for the Apache, how i know which rules related to Apache? I can'tfind any rule file named apache.rules. Do you means i should enable all rules in web-**.rules files?-----Original Message----- From: Jason Wallace [mailto:jason.r.wallace () gmail com] Sent: Thursday, August 04, 2011 8:44 PM To: Zhuxian Cc: snort-sigs () lists sourceforge net; Likun Subject: Re: [Snort-sigs] same question about snort rules On Wed, Aug 3, 2011 at 11:53 PM, Zhuxian <zhuxian () huawei com> wrote:1. Does snort provide the test tools and test model to testthese rules? Or is there any suggested tools to test these rules?If snort does not provide, does SourceFire provide?I do not know of any testing tools related to to snort rules in general. What type of testing are you looking for?2. Some rules are commented in rules file released by snort.Does this means these are the default rules setting for snort? Is their any references or guides for the customer to tune the rule set?The rules are broken up into three policy groups Connectivity, Balanced, and Security. Take a look at... http://code.google.com/p/pulledpork/source/browse/trunk/doc/REA DME.RULESET For a high level view of these policies. I'm not sure what policy the default state of the rules is tied to. If you use a rule management tool that can use theses policy settings, like pulledpork, then it will enable/disable rules based on what policy you choose. These policies are just a starting point. What you run for rules depends on what you are trying to protect. If you are not running Windows servers, you can turn off all the windows related rules. If you are running Apache, then you probably want to turn those rule on. Even then you want to be specific about what rules you enable. Just because you are running Apache doesn't mean you need to run all the Apache related rules. If you are running an older version of Apache you would need to run more rules than if it were the current version of Apache. What rules you enable should be tied to what OS you are using, what applications/services you want to protect, and what vulnerabilities those OS's and apps/services have. There are also more general rules that look for things like malware and policy violations. Whether or not you enable those rules depends on what you do or do not allow in your environment. For general tuning information look at some of the webcasts at snort.org... http://www.snort.org/community/snort-webcast-series/Regards, Kurtzhu------------------------------------------------------------------------------ BlackBerry® DevCon Americas, Oct. 18-20, San Francisco, CA The must-attend event for mobile developers. Connect with experts. Get tools for creating Super Apps. See the latest technologies. Sessions, hands-on labs, demos & much more. Register early & save! http://p.sf.net/sfu/rim-blackberry-1 _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org------------------------------------------------------------------------------Get a FREE DOWNLOAD! and learn more about uberSVN rich system, user administration capabilities and model configuration. Take the hassle out of deploying and managing Subversion and the tools developers use with it. http://p.sf.net/sfu/wandisco-d2d-2 _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!------------------------------------------------------------------------------ Get a FREE DOWNLOAD! and learn more about uberSVN rich system, user administration capabilities and model configuration. Take the hassle out of deploying and managing Subversion and the tools developers use with it. http://p.sf.net/sfu/wandisco-d2d-2 _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
------------------------------------------------------------------------------ Get a FREE DOWNLOAD! and learn more about uberSVN rich system, user administration capabilities and model configuration. Take the hassle out of deploying and managing Subversion and the tools developers use with it. http://p.sf.net/sfu/wandisco-d2d-2
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- same question about snort rules Zhuxian (Aug 03)
- Re: same question about snort rules Jason Wallace (Aug 04)
- Re: some question about snort rules Zhuxian (Aug 17)
- Re: some question about snort rules Joel Esler (Aug 17)
- Re: some question about snort rules JJC (Aug 17)
- Re: some question about snort rules Zhuxian (Aug 17)
- Re: same question about snort rules Jason Wallace (Aug 04)
- Re: same question about snort rules Joel Esler (Aug 04)
- Re: same question about snort rules Will Metcalf (Aug 04)
- Re: same question about snort rules Joel Esler (Aug 04)
- Re: same question about snort rules rmkml (Aug 04)
- Re: same question about snort rules rmkml (Aug 04)
- Re: same question about snort rules Joel Esler (Aug 04)
- Re: same question about snort rules Will Metcalf (Aug 04)