Snort mailing list archives
Re: Pulledpork and proprocessor rules
From: Dave Corsello <snort-users () wintertreemedia com>
Date: Fri, 24 Jan 2014 10:37:14 -0500
Duh. Thanks. I also got it to work using pcre:REPUTATION. On 1/24/2014 10:00 AM, Ward Sladek wrote:
Add "136:1" and "136:2" to enablesid.conf instead of 1:136 and 2:136.Date: Thu, 23 Jan 2014 21:43:50 -0500 From: snort-users () wintertreemedia com To: snort-users () lists sourceforge net Subject: Re: [Snort-users] Pulledpork and proprocessor rules Hi Ed, Thanks for your reply. Maybe I should be more specific in what I want to do. I currently have rules enabled by policy. In addition, I want to turn on just the two reputation preprocessor rules, 1:136 and 2:136. I don't see a way to accomplish that with the categories that you provided. What am I missing? --Dave On 1/23/2014 3:47 PM, SnortFan wrote:Here is the list as best as I can tell from what's in the snortrules file. When I place them into the enablesid.conf file and pull I get the mother load of rules. I don't recommend turning them all on.app-detect blacklist browser-chrome browser-firefox browser-ie browser-other browser-plugins browser-webkit content-replace decoder dos exploit-kit file-executable file-flash file-identify file-image file-java file-multimedia file-office file-other file-pdf indicator-compromise indicator-obfuscation indicator-scan indicator-shellcode malware-backdoor malware-cnc malware-other malware-tools netbios os-linux os-mobile os-other os-solaris os-windows policy-multimedia policy-other policy-social policy-spam preprocessor protocol-dns protocol-finger protocol-ftp protocol-icmp protocol-imap protocol-nntp protocol-pop protocol-rpc protocol-scada protocol-services protocol-snmp protocol-telnet protocol-tftp protocol-voip pua-adware pua-other pua-p2p pua-toolbars server-apache server-iis server-mail server-mssql server-mysql server-oracle server-other server-samba server-webapp sql x11 Sent from a mobile device.On Jan 23, 2014, at 8:44 AM, SnortFan <SnortFan () yahoo com> wrote: Hi Dave, It looks like it pulls them down and places them in thesnort.rule file. I don't see where it replaces the gen-msg.map file but if you search in the snort.rules file for one of the gid's you should see them.Cheers, Ed Sent from a mobile device.On Jan 23, 2014, at 7:43 AM, Dave Corsello<snort-users () wintertreemedia com> wrote:I thought this would be a pretty basic question, but I haven'tbeen ableto locate an answer yet. How do you enable proproc rules in pulledpork? I tried adding "1:136,2:136" to enablesid.conf, but it didn't work.------------------------------------------------------------------------------CenturyLink Cloud: The Leader in Enterprise Cloud Services. Learn Why More Businesses Are Choosing CenturyLink Cloud For Critical Workloads, Development Environments & Everything InBetween.Get a Quote or Start a Free Trial Today.http://pubads.g.doubleclick.net/gampad/clk?id=119420431&iu=/4140/ostg.clktrk_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all thelatest Snort news!------------------------------------------------------------------------------CenturyLink Cloud: The Leader in Enterprise Cloud Services. Learn Why More Businesses Are Choosing CenturyLink Cloud For Critical Workloads, Development Environments & Everything In Between. Get a Quote or Start a Free Trial Today.http://pubads.g.doubleclick.net/gampad/clk?id=119420431&iu=/4140/ostg.clktrk_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all thelatest Snort news!------------------------------------------------------------------------------CenturyLink Cloud: The Leader in Enterprise Cloud Services. Learn Why More Businesses Are Choosing CenturyLink Cloud For Critical Workloads, Development Environments & Everything In Between. Get a Quote or Start a Free Trial Today.http://pubads.g.doubleclick.net/gampad/clk?id=119420431&iu=/4140/ostg.clktrk_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latestSnort news!
------------------------------------------------------------------------------ CenturyLink Cloud: The Leader in Enterprise Cloud Services. Learn Why More Businesses Are Choosing CenturyLink Cloud For Critical Workloads, Development Environments & Everything In Between. Get a Quote or Start a Free Trial Today. http://pubads.g.doubleclick.net/gampad/clk?id=119420431&iu=/4140/ostg.clktrk
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Pulledpork and proprocessor rules Dave Corsello (Jan 23)
- Re: Pulledpork and proprocessor rules SnortFan (Jan 23)
- Re: Pulledpork and proprocessor rules SnortFan (Jan 23)
- Re: Pulledpork and proprocessor rules Dave Corsello (Jan 23)
- Re: Pulledpork and proprocessor rules SnortFan (Jan 24)
- Re: Pulledpork and proprocessor rules Lay, James (Jan 24)
- Message not available
- Re: Pulledpork and proprocessor rules Dave Corsello (Jan 24)
- Re: Pulledpork and proprocessor rules SnortFan (Jan 23)
- Re: Pulledpork and proprocessor rules SnortFan (Jan 23)