Snort mailing list archives

Re: Default rule set

From: "Jefferson, Shawn" <Shawn.Jefferson () bcferries com>
Date: Fri, 23 May 2014 10:15:53 -0600

I keep my VRT and ET rules separate, so separate PP config files, and separate combined .rules files as well.  This 
just works better for my personal setup.

-----Original Message-----
From: Sallee, Jake [mailto:Jake.Sallee () umhb edu] 
Sent: May 17, 2014 10:44 PM
To: snort-users
Subject: [Snort-users] Default rule set

Firstly, thank you all for the info, it has been very helpful.

I have configured my pulled pork with the security setting and it seems to be working well.  Now, as others have 
pointed out, configuring this setting in PP turns off all ET rules.  So my question is: are the rules turned on with 
the "security" setting in PP sufficient or should I augment them with rules from the ET set?

Also, a quick question about this suggestion:

2. Since PulledPork now processes modifysid.conf first (before 
enablesid.conf), add pcre to modify ET rules to include the desired 
policy and PulledPork should pick it up from there. I will need to re-test this one though.


Please forgive my inexperience but I am reading this statement two different ways:

1) Set PP with the security setting and use PCRE to enable ET rules in the modifysid.conf file or
2) Use PCRE to enable the security sub-set of rules in modifysid.conf while PP is configured to use the ET rule set

Which one is correct, or am I wrong on both counts?

And lastly, if I do use some ET rules in conjunction with the security set of rules I will need to do some serious 
pruning to keep under the aforementioned 7,000 rule suggested limit. Are there any rules that duplicate effort in the 
ET and Security sets?  If so, is there an easy way to identify them and which one should I choose to use?

Thank you all again.

Jake Sallee
Godfather of Bandwidth
System Engineer
University of Mary Hardin-Baylor
WWW.UMHB.EDU

900 College St.
Belton, Texas
76513

Fone: 254-295-4658
Phax: 254-295-4221

________________________________________
From: waldo kitty [wkitty42 () windstream net]
Sent: Saturday, May 17, 2014 9:47 AM
To: snort-users () lists sourceforge net
Subject: Re: [Snort-users] Default rule set

On 5/17/2014 6:43 AM, Y M wrote:

 > ummm... does this "security", "balanced", "connectivity" stuff 
pertain to the ET  > (EmergingThreats) rules sets?? ;)

I don't think ET ruleset has these policies.


exactly, thanks for confirming this, YM... it is especially important since the OP's original question mentioned ET 
rules...

In the VRT ruleset, these are represented through the "metadata" tag 
with options of "policy connectivity-ips", "policy balanced-ips", 
"policy security-ips", and the most recent one "ruleset community". 
PulledPork use these along with the "-I <policy>" to determine what rules to enable.


yes, this confirms the method with which the policy is determined... it is also helpful for those who don't know or 
understand it...

During early tests, running PulledPork against both VRT and ET with a 
policy specified, did not enable any ET rule. Two options to overcome this:
1. Add ET sids/categories into enablesid.conf, and PulledPork will 
enable them regardless of policy specified, or (better) 2. Since 
PulledPork now processes modifysid.conf first (before enablesid.conf), 
add pcre to modify ET rules to include the desired policy and 
PulledPork should pick it up from there. I will need to re-test this one though.

ahh, very nice... i'm glad to see the PP has come such a long way in the short time it has been available... excellent
work by the maintainer! ;)

--
NOTE: No off-list assistance is given without prior approval.
Please *keep mailing list traffic on the list* unless
private contact is specifically requested and granted.

------------------------------------------------------------------------------
"Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE Instantly run your Selenium tests across 300+
browser/OS combos.
Get unparalleled scalability from the best Selenium testing platform available Simple to use. Nothing to install. Get
started now for free."
http://p.sf.net/sfu/SauceLabs
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

------------------------------------------------------------------------------
"Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE
Instantly run your Selenium tests across 300+ browser/OS combos.
Get unparalleled scalability from the best Selenium testing platform available
Simple to use. Nothing to install. Get started now for free."
http://p.sf.net/sfu/SauceLabs
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Current thread:

Default rule set Sallee, Jake (May 16)
- Re: Default rule set James Lay (May 16)
- Re: Default rule set Kurzawa, Kevin (May 16)
  - Re: Default rule set Joel Esler (jesler) (May 16)
  - Re: Default rule set waldo kitty (May 16)
    - Re: Default rule set Y M (May 17)
    - Re: Default rule set waldo kitty (May 17)
    - Message not available
    - Message not available
    - Re: Default rule set Sallee, Jake (May 17)
    - Message not available
    - Default rule set Sallee, Jake (May 17)
    - Re: Default rule set Y M (May 18)
    - Re: Default rule set Jefferson, Shawn (May 23)