Re: VRT Rules question

[JJC <cummingsj () gmail com>]

Juan,

This is the precise reason that PulledPork supports regular expressions in
your enablesid... you will want to craft the appropriate regular expression
for each wildcard that you want to enable.

For example:
pcre:MS(0|1)\d-\d+

The above would match anything from MS00 and up.. there are of course
different/better ways of doing this, but hopefully this example gets you
started (google "pcre" and start learning it, it's an invaluable knowledge
anyway).  Given this knowledge you should be able to see how to turn on
other rules based on your remaining requirements / criteria.

JJC


On Wed, Aug 21, 2013 at 7:17 AM, Juan Camilo Valencia <
juan.valencia () seguratec com co> wrote:

> Hi Guys,
>
> I think that this couple of questions were answered in the past, or are in
> some documentation but in this moment I can't find the answer. Basically
> what I Have is the need to activate certain rules based on CVE or MS in
> rules but based in a category, for example I want to enable all the CVE
> since 2000 to 2012 in os-windows.rules, however when I create the line in
> enablesid.conf in PulledPork, it activates for all the rules downloaded.
> Is there a way to mix that two criterias, CVE or MS and category?
> if not,
> have the rules a range in a category based? for example, os-linux.rules
> are between 2000 and 3000, os-windows.rules are between 3001 and 4000, etc.
>
> Because with that I think that I can use pcre and regex to do that.
>
> Thanks a lot for your time and your advance,
>
> Best regards from Colombia
>
> --
> JUAN CAMILO VALENCIA VARGAS
> Ingeniero de Operaciones
> SeguraTec S.A.S
> Calle 11 # 43B-50 of 307
> Medelllín Colombia
>
> *“Choose a job you love, and you will never have to work a day in your
> life”*
>
>
> ------------------------------------------------------------------------------
> Introducing Performance Central, a new site from SourceForge and
> AppDynamics. Performance Central is your source for news, insights,
> analysis and resources for efficient Application Performance Management.
> Visit us today!
> http://pubads.g.doubleclick.net/gampad/clk?id=48897511&iu=/4140/ostg.clktrk
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
------------------------------------------------------------------------------
Introducing Performance Central, a new site from SourceForge and 
AppDynamics. Performance Central is your source for news, insights, 
analysis and resources for efficient Application Performance Management. 
Visit us today!
http://pubads.g.doubleclick.net/gampad/clk?id=48897511&iu=/4140/ostg.clktrk

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!