Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Pulledpork and proprocessor rules

From: Dave Corsello <snort-users () wintertreemedia com>
Date: Fri, 24 Jan 2014 10:37:14 -0500
Duh.  Thanks.  I also got it to work using pcre:REPUTATION.

On 1/24/2014 10:00 AM, Ward Sladek wrote:

Add "136:1" and "136:2" to enablesid.conf instead of 1:136 and 2:136.




Date: Thu, 23 Jan 2014 21:43:50 -0500
From: snort-users () wintertreemedia com
To: snort-users () lists sourceforge net
Subject: Re: [Snort-users] Pulledpork and proprocessor rules

Hi Ed,

Thanks for your reply. Maybe I should be more specific in what I want
to do. I currently have rules enabled by policy. In addition, I want
to turn on just the two reputation preprocessor rules, 1:136 and 2:136.
I don't see a way to accomplish that with the categories that you
provided. What am I missing?

--Dave

On 1/23/2014 3:47 PM, SnortFan wrote:

Here is the list as best as I can tell from what's in the snort

rules file. When I place them into the enablesid.conf file and pull I
get the mother load of rules. I don't recommend turning them all on.


app-detect
blacklist
browser-chrome
browser-firefox
browser-ie
browser-other
browser-plugins
browser-webkit
content-replace
decoder
dos
exploit-kit
file-executable
file-flash
file-identify
file-image
file-java
file-multimedia
file-office
file-other
file-pdf
indicator-compromise
indicator-obfuscation
indicator-scan
indicator-shellcode
malware-backdoor
malware-cnc
malware-other
malware-tools
netbios
os-linux
os-mobile
os-other
os-solaris
os-windows
policy-multimedia
policy-other
policy-social
policy-spam
preprocessor
protocol-dns
protocol-finger
protocol-ftp
protocol-icmp
protocol-imap
protocol-nntp
protocol-pop
protocol-rpc
protocol-scada
protocol-services
protocol-snmp
protocol-telnet
protocol-tftp
protocol-voip
pua-adware
pua-other
pua-p2p
pua-toolbars
server-apache
server-iis
server-mail
server-mssql
server-mysql
server-oracle
server-other
server-samba
server-webapp
sql
x11

Sent from a mobile device.


On Jan 23, 2014, at 8:44 AM, SnortFan <SnortFan () yahoo com> wrote:

Hi Dave,
It looks like it pulls them down and places them in the

snort.rule file. I don't see where it replaces the gen-msg.map file
but if you search in the snort.rules file for one of the gid's you
should see them.


Cheers,
Ed

Sent from a mobile device.


On Jan 23, 2014, at 7:43 AM, Dave Corsello

<snort-users () wintertreemedia com> wrote:


I thought this would be a pretty basic question, but I haven't

been able

to locate an answer yet. How do you enable proproc rules in
pulledpork? I tried adding "1:136,2:136" to enablesid.conf, but it
didn't work.



------------------------------------------------------------------------------

CenturyLink Cloud: The Leader in Enterprise Cloud Services.
Learn Why More Businesses Are Choosing CenturyLink Cloud For
Critical Workloads, Development Environments & Everything In

Between.

Get a Quote or Start a Free Trial Today.


http://pubads.g.doubleclick.net/gampad/clk?id=119420431&iu=/4140/ostg.clktrk

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the

latest Snort news!



------------------------------------------------------------------------------

CenturyLink Cloud: The Leader in Enterprise Cloud Services.
Learn Why More Businesses Are Choosing CenturyLink Cloud For
Critical Workloads, Development Environments & Everything In Between.
Get a Quote or Start a Free Trial Today.


http://pubads.g.doubleclick.net/gampad/clk?id=119420431&iu=/4140/ostg.clktrk

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the

latest Snort news!





------------------------------------------------------------------------------

CenturyLink Cloud: The Leader in Enterprise Cloud Services.
Learn Why More Businesses Are Choosing CenturyLink Cloud For
Critical Workloads, Development Environments & Everything In Between.
Get a Quote or Start a Free Trial Today.


http://pubads.g.doubleclick.net/gampad/clk?id=119420431&iu=/4140/ostg.clktrk

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest

Snort news!



------------------------------------------------------------------------------
CenturyLink Cloud: The Leader in Enterprise Cloud Services.
Learn Why More Businesses Are Choosing CenturyLink Cloud For
Critical Workloads, Development Environments & Everything In Between.
Get a Quote or Start a Free Trial Today. 
http://pubads.g.doubleclick.net/gampad/clk?id=119420431&iu=/4140/ostg.clktrk
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: