Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Enabling all the rules for testing using PulledPork?

From: JJC <cummingsj () gmail com>
Date: Tue, 18 Feb 2014 08:00:11 -0800
Inline

Sent from the iRoad


On Feb 18, 2014, at 6:53, Michael Steele <michaels () go2dds com> wrote:

I have users asking why they are not seeing any alerts when they install PP, and using the 'security' setting. For 
testing purposes, I would like to write something up that tells the installer how to enable all the rules for testing 
purposes only.

So I'm adding the next line to the enablesid.conf file, and is it correct?

PCRE wildcard "."


Yes



Also does the following line in the pulledpork.conf need to be enabled, disabled, or it doesn't matter?

ips_policy=security

The above should activate all the alerts?

In the latesest rule set there are three alerts that cause Snort to fail unless they are disabled.

os-linux.rules:
Line 23: # alert ip any any -> any any (msg:"OS-LINUX Linux kernel IGMP queries denial of service attempt"; 
ip_proto:igmp; content:"|11|"; depth:1; content:"|00|"; within:1; isdataat:11; reference:cve,2012-0207; 
classtype:denial-of-service; sid:25314; rev:2;)

server-other.rules:

Line 289: # alert ip any any -> $HOME_NET any (msg:"SERVER-OTHER Ethereal IGAP Dissector Buffer Overflow attempt"; 
ip_proto:igmp; content:"A"; depth:1; byte_test:1,>,64,12,relative; reference:bugtraq,9952; reference:cve,2004-0176; 
reference:url,secunia.com/advisories/11185; classtype:attempted-admin; sid:20747; rev:3;)

Line 290: # alert ip any any -> $HOME_NET any (msg:"SERVER-OTHER Ethereal IGAP Dissector Buffer Overflow attempt"; 
ip_proto:igmp; content:"A"; depth:1; byte_test:1,>,16,11,relative; reference:bugtraq,9952; reference:cve,2004-0176; 
reference:url,secunia.com/advisories/11185; classtype:attempted-admin; sid:20746; rev:3;)

By enabling all the alerts, what will I need to do to make sure these three rules are disabled after PP enables all 
the alerts.


Add their sid to disablesid.conf and make sure that disablesid runs last.



To revert back to the original 'ips_policy=security' setting: removing the line added to the 'enablesid.conf ' file, 
and run PP again?


Yes



Will the three disabled rules above need to be removed, or will it matter?


Doesn't matter...



Thanks...


On Tuesday, September 24, 2013 2:55:30 PM UTC-4, JJC wrote:
PCRE wildcard "." In enablesid

Sent from the iRoad


On Sep 24, 2013, at 11:07, "Michael Steele" <mich... () go2dds com> wrote:

Is there a way to easily enable all the rules using PulledPork

 

Best regards,

Michael 

-- 
You received this message because you are subscribed to the Google Groups "pulledpork users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to pulledpork-use... () 
googlegroups com.
To post to this group, send email to pulledpo... () googlegroups com.
Visit this group at http://groups.google.com/group/pulledpork-users.
For more options, visit https://groups.google.com/groups/opt_out.


-- 
You received this message because you are subscribed to the Google Groups "pulledpork users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to pulledpork-users+unsubscribe () 
googlegroups com.
To post to this group, send email to pulledpork-users () googlegroups com.
Visit this group at http://groups.google.com/group/pulledpork-users.
For more options, visit https://groups.google.com/groups/opt_out.

------------------------------------------------------------------------------
Managing the Performance of Cloud-Based Applications
Take advantage of what the Cloud has to offer - Avoid Common Pitfalls.
Read the Whitepaper.
http://pubads.g.doubleclick.net/gampad/clk?id=121054471&iu=/4140/ostg.clktrk
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: