Snort mailing list archives
Re: Enabling all the rules for testing using PulledPork?
From: JJC <cummingsj () gmail com>
Date: Tue, 18 Feb 2014 08:00:11 -0800
Inline Sent from the iRoad
On Feb 18, 2014, at 6:53, Michael Steele <michaels () go2dds com> wrote: I have users asking why they are not seeing any alerts when they install PP, and using the 'security' setting. For testing purposes, I would like to write something up that tells the installer how to enable all the rules for testing purposes only. So I'm adding the next line to the enablesid.conf file, and is it correct? PCRE wildcard "."
Yes
Also does the following line in the pulledpork.conf need to be enabled, disabled, or it doesn't matter? ips_policy=security The above should activate all the alerts? In the latesest rule set there are three alerts that cause Snort to fail unless they are disabled. os-linux.rules: Line 23: # alert ip any any -> any any (msg:"OS-LINUX Linux kernel IGMP queries denial of service attempt"; ip_proto:igmp; content:"|11|"; depth:1; content:"|00|"; within:1; isdataat:11; reference:cve,2012-0207; classtype:denial-of-service; sid:25314; rev:2;) server-other.rules: Line 289: # alert ip any any -> $HOME_NET any (msg:"SERVER-OTHER Ethereal IGAP Dissector Buffer Overflow attempt"; ip_proto:igmp; content:"A"; depth:1; byte_test:1,>,64,12,relative; reference:bugtraq,9952; reference:cve,2004-0176; reference:url,secunia.com/advisories/11185; classtype:attempted-admin; sid:20747; rev:3;) Line 290: # alert ip any any -> $HOME_NET any (msg:"SERVER-OTHER Ethereal IGAP Dissector Buffer Overflow attempt"; ip_proto:igmp; content:"A"; depth:1; byte_test:1,>,16,11,relative; reference:bugtraq,9952; reference:cve,2004-0176; reference:url,secunia.com/advisories/11185; classtype:attempted-admin; sid:20746; rev:3;) By enabling all the alerts, what will I need to do to make sure these three rules are disabled after PP enables all the alerts.
Add their sid to disablesid.conf and make sure that disablesid runs last.
To revert back to the original 'ips_policy=security' setting: removing the line added to the 'enablesid.conf ' file, and run PP again?
Yes
Will the three disabled rules above need to be removed, or will it matter?
Doesn't matter...
Thanks...On Tuesday, September 24, 2013 2:55:30 PM UTC-4, JJC wrote: PCRE wildcard "." In enablesid Sent from the iRoadOn Sep 24, 2013, at 11:07, "Michael Steele" <mich... () go2dds com> wrote: Is there a way to easily enable all the rules using PulledPork Best regards, Michael -- You received this message because you are subscribed to the Google Groups "pulledpork users" group. To unsubscribe from this group and stop receiving emails from it, send an email to pulledpork-use... () googlegroups com. To post to this group, send email to pulledpo... () googlegroups com. Visit this group at http://groups.google.com/group/pulledpork-users. For more options, visit https://groups.google.com/groups/opt_out.-- You received this message because you are subscribed to the Google Groups "pulledpork users" group. To unsubscribe from this group and stop receiving emails from it, send an email to pulledpork-users+unsubscribe () googlegroups com. To post to this group, send email to pulledpork-users () googlegroups com. Visit this group at http://groups.google.com/group/pulledpork-users. For more options, visit https://groups.google.com/groups/opt_out.
------------------------------------------------------------------------------ Managing the Performance of Cloud-Based Applications Take advantage of what the Cloud has to offer - Avoid Common Pitfalls. Read the Whitepaper. http://pubads.g.doubleclick.net/gampad/clk?id=121054471&iu=/4140/ostg.clktrk
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Re: Enabling all the rules for testing using PulledPork? JJC (Feb 18)