Snort mailing list archives
Re: Disablesid.conf and classtype
From: "Joel Esler (jesler)" <jesler () cisco com>
Date: Wed, 26 Feb 2014 19:18:00 +0000
On Feb 26, 2014, at 10:30 AM, SnortFan <SnortFan () yahoo com<mailto:SnortFan () yahoo com>> wrote: Hi Joel, I think I may have found it. In the pulledpork.conf. I can set the ips_policy. That will set for me the rule policy category mentioned in the article. I could then go back to my enablesid.conf and turn only only the categories not included in the ips_policy. Bingo. So for example: if I set the ips policy to security and them add the VoIP catagory in my enablesid.conf, I will get: CVSS score 8 or greater Age current back 3 years Rule categories: Malware-cnc Blacklist SQL injection Exploit kit App-detect VoIP I'm I on track? Yes. Also for the VoIP, Since it's an add on would it activate rules over the age setting older than the policy? Yes. You can turn on whatever you want. That overrides our settings. We just ship things in this fashion based upon the criteria. You should always adjust your policy to your local network. -- Joel Esler | Threat Intelligence Team Lead | Open Source Manager | Vulnerability Research Team Thanks, Ed Sent from a mobile device. On Feb 26, 2014, at 1:05 PM, SnortFan <SnortFan () yahoo com<mailto:SnortFan () yahoo com>> wrote: Hi Joel, I'm a little confused. Are all new rules created being placed into a rule category ? How do you pull rules bases in temporal based concerns? How do I pull rules base on CVSS score? Right now I'm pulling rules base on categoies using the enablesid.conf in pulledpork and that's probably a lot more rules than i need. Thanks, Ed Sent from a mobile device. On Feb 21, 2014, at 2:39 PM, "Joel Esler (jesler)" <jesler () cisco com<mailto:jesler () cisco com>> wrote: Perhaps a bit off topic from the original threat, but Juan’s email prompted me about the way he seems to be doing things. Have you seen this? http://blog.snort.org/2013/10/snort-vrt-default-ruleset-rebalancing.html -- Joel Esler | Threat Intelligence Team Lead | Open Source Manager | Vulnerability Research Team On Feb 21, 2014, at 11:52 AM, Juan Camilo Valencia <camilo.valencia13 () gmail com<mailto:camilo.valencia13 () gmail com>> wrote: Hi, We have been doing based on CVE or category, here are some examples. I'm not completely sure that is te most optimized but works, you can used for your keyword: #Regex for look Internet Explorer rules with attempted-(admin|dos|recon|user) classtype pcre:(?=.*\bBROWSER-IE\b)(?=.*\battempted-(admin|dos|recon|user)\b) pcre:(?=.*\bBROWSER-IE\b)(?=.*\bmisc-(activity|attack)\b) pcre:(?=.*\bBROWSER-IE\b)(?=.*\bweb-application-(activity|attack)\b) #Regex to enable rules based on VRT-file-multimedia.rules and attempted-(admin|dos|user) pcre:(?=.*\bFILE-MULTIMEDIA\b)(?=.*\battempted-(admin|dos)\b) pcre:(?=.*\bFILE-MULTIMEDIA\b)(?=.*\battempted-user\b)(?=.*\b(apple|adobe|videolan.org<http://videolan.org/>)\b) #Regex to enable rules in VRT-file-executable.rules based on FILE-EXECUTABLE and attempted #(admin|user) and misc-activity pcre:(?=.*\bFILE-EXECUTABLE\b)(?=.*\battempted-(admin|user)\b) pcre:(?=.*\bFILE-EXECUTABLE\b)(?=.*\bmisc-activity\b) #Regex to enable rules on VRT-malware-cnc.rules based on MALWARE-CNC and trojan-activity. pcre:(?=.*\bMALWARE-CNC\b)(?=.*\btrojan-activity\b) I hope that this help you, Best Regards On Fri, Feb 21, 2014 at 10:33 AM, SnortFan <SnortFan () yahoo com<mailto:SnortFan () yahoo com>> wrote: Hi All, Is anyone using regular expressions in pulledpork's disablesid.conf file to disable rules based on the classtype: of a rule? If so can you post an example? Thanks, Ed Sent from a mobile device. ------------------------------------------------------------------------------ Managing the Performance of Cloud-Based Applications Take advantage of what the Cloud has to offer - Avoid Common Pitfalls. Read the Whitepaper. http://pubads.g.doubleclick.net/gampad/clk?id=121054471&iu=/4140/ostg.clktrk _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net<mailto:Snort-users () lists sourceforge net> Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org<http://blog.snort.org/> to stay current on all the latest Snort news! -- JUAN CAMILO VALENCIA VARGAS Ingeniero de Operaciones SeguraTec S.A.S Calle 11 # 43B-50 of 307 Medelllín Colombia “Choose a job you love, and you will never have to work a day in your life” ------------------------------------------------------------------------------ Managing the Performance of Cloud-Based Applications Take advantage of what the Cloud has to offer - Avoid Common Pitfalls. Read the Whitepaper. http://pubads.g.doubleclick.net/gampad/clk?id=121054471&iu=/4140/ostg.clktrk_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net<mailto:Snort-users () lists sourceforge net> Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org<http://blog.snort.org/> to stay current on all the latest Snort news! ------------------------------------------------------------------------------ Managing the Performance of Cloud-Based Applications Take advantage of what the Cloud has to offer - Avoid Common Pitfalls. Read the Whitepaper. http://pubads.g.doubleclick.net/gampad/clk?id=121054471&iu=/4140/ostg.clktrk _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net<mailto:Snort-users () lists sourceforge net> Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org<http://blog.snort.org/> to stay current on all the latest Snort news! ------------------------------------------------------------------------------ Flow-based real-time traffic analytics software. Cisco certified tool. Monitor traffic, SLAs, QoS, Medianet, WAAS etc. with NetFlow Analyzer Customize your own dashboards, set traffic alerts and generate reports. Network behavioral analysis & security monitoring. All-in-one tool. http://pubads.g.doubleclick.net/gampad/clk?id=126839071&iu=/4140/ostg.clktrk _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net<mailto:Snort-users () lists sourceforge net> Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org<http://blog.snort.org/> to stay current on all the latest Snort news!
------------------------------------------------------------------------------ Flow-based real-time traffic analytics software. Cisco certified tool. Monitor traffic, SLAs, QoS, Medianet, WAAS etc. with NetFlow Analyzer Customize your own dashboards, set traffic alerts and generate reports. Network behavioral analysis & security monitoring. All-in-one tool. http://pubads.g.doubleclick.net/gampad/clk?id=126839071&iu=/4140/ostg.clktrk
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Disablesid.conf and classtype SnortFan (Feb 21)
- Re: Disablesid.conf and classtype Juan Camilo Valencia (Feb 21)
- Re: Disablesid.conf and classtype Joel Esler (jesler) (Feb 21)
- Re: Disablesid.conf and classtype SnortFan (Feb 26)
- Re: Disablesid.conf and classtype SnortFan (Feb 26)
- Re: Disablesid.conf and classtype Joel Esler (jesler) (Feb 26)
- Re: Disablesid.conf and classtype Joel Esler (jesler) (Feb 21)
- Re: Disablesid.conf and classtype Juan Camilo Valencia (Feb 21)