Snort mailing list archives
Re: configuring rules
From: Joel Esler <jesler () cisco com>
Date: Wed, 03 Sep 2014 10:25:02 -0400
Your rule file should be here: /etc/snort/rules/snort.rules According to the dump you posted below. -- *Joel Esler* Open Source Manager Threat Intelligence Team Lead Talos On 9/3/14 10:22 AM, Y M wrote:
I highly recommend that you go ahead and change your oinkcode (like right now), do not post it in public!To answer your questions:- It depends on how you configure PulledPork: either all to one file (snort.rules) or you copy over the individual rules files. PulledPork handles all of that. - If you do not do the modification in PulledPork's modifysid.conf, then all of your changes will get overwritten. - We will need to see how you are configuring PulledPork (minus your oinkcode).YM ------------------------------------------------------------------------ From: Sharif.Uddin () spectrumasa com To: jesler () cisco com Date: Wed, 3 Sep 2014 14:10:08 +0000 CC: snort-users () lists sourceforge net Subject: Re: [Snort-users] configuring rules I have set up pulled pork and would like to know ·where all the rules get written to ·what happens if I modify one of these rules and run the command again·why when I empty the rules folder and run the pulledpork command the folder is still empty[root@snort snort]# pulledpork.pl -c /etc/pulledpork/pulledpork.conf -vv http://code.google.com/p/pulledpork/ _____ ____ `----,\ ) `--==\\ / PulledPork v0.7.0 - Swine Flu! `--==\\/ .-~~~~-.Y|\\_ Copyright (C) 2009-2013 JJ Cummings @_/ / 66\_ cummingsj () gmail com | \ \ _(") \ /-| ||'--' Rules give me wings! \_\ \_\\ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Config File Variable Debug /etc/pulledpork/pulledpork.conf snort_path = /usr/local/bin/snort black_list = /etc/snort/rules/iplists/default.blacklist pid_path = /var/run/snort_end34.pid IPRVersion = /etc/snort/rules/iplists rule_path = /etc/snort/rules/snort.rules ignore = deleted.rules,experimental.rules,local.rules snort_control = /usr/local/bin/snort_control rule_url = ARRAY(0x30e8720) sid_msg_version = 1 sid_changelog = /var/log/sid_changes.log sid_msg = /etc/snort/sid-msg.map config_path = /etc/snort/snort.conf temp_path = /tmp distro = RHEL-6-0 version = 0.7.0 sorule_path = /usr/local/lib/snort_dynamicrules/ local_rules = /etc/snort/rules/local.rules MISC (CLI and Autovar) Variable Debug: arch Def is: x86-64 Config Path is: /etc/pulledpork/pulledpork.conf Distro Def is: RHEL-6-0 Disabled policy specified local.rules path is: /etc/snort/rules/local.rules Rules file is: /etc/snort/rules/snort.rules sid changes will be logged to: /var/log/sid_changes.log sid-msg.map Output Path is: /etc/snort/sid-msg.map Snort Version is: 2.9.6.2 Snort Config File: /etc/snort/snort.conf Snort Path is: /usr/local/bin/snort SO Output Path is: /usr/local/lib/snort_dynamicrules/ Will process SO rules Extra Verbose Flag is Set Verbose Flag is SetBase URL is: https://www.snort.org/reg-rules/|snortrules-snapshot.tar.gz|bc79ebef13822d894e68f63ee3e46916dc684d82 https://s3.amazonaws.com/snort-org/www/rules/community/|community-rules.tar.gz|Community http://labs.snort.org/feeds/ip-filter.blf|IPBLACKLIST|open https://www.snort.org/reg-rules/|opensource.gz|bc79ebef13822d894e68f63ee3e46916dc684d82MY HTTPS PROXY = http://proxy:3128 MY HTTP PROXY = http://proxy:3128 Checking latest MD5 for snortrules-snapshot-2962.tar.gz.... Fetching md5sum for: snortrules-snapshot-2962.tar.gz.md5** GET https://www.snort.org/reg-rules/snortrules-snapshot-2962.tar.gz.md5/bc79ebef13822d894e68f63ee3e46916dc684d82 ==> 200 OK (1s)most recent rules file digest: 89727bcdc8e13597e20f98a8cf1922c6 current local rules file digest: 89727bcdc8e13597e20f98a8cf1922c6The MD5 for snortrules-snapshot-2962.tar.gz matched 89727bcdc8e13597e20f98a8cf1922c6Checking latest MD5 for community-rules.tar.gz.... Fetching md5sum for: community-rules.tar.gz.md5** GET https://s3.amazonaws.com/snort-org/www/rules/community/community-rules.tar.gz.md5 ==> 200 OKmost recent rules file digest: 9da58f33a7d70a15ec4783846a26215b current local rules file digest: 9da58f33a7d70a15ec4783846a26215bThe MD5 for community-rules.tar.gz matched 9da58f33a7d70a15ec4783846a26215bIP Blacklist download of http://labs.snort.org/feeds/ip-filter.blf.... ** GET http://labs.snort.org/feeds/ip-filter.blf ==> 200 OK Reading IP List... Checking latest MD5 for opensource.gz.... Fetching md5sum for: opensource.gz.md5** GET https://www.snort.org/reg-rules/opensource.gz.md5/bc79ebef13822d894e68f63ee3e46916dc684d82 ==> 200 OKmost recent rules file digest: 489712cc1f594ad03958473e8a4c00d0 current local rules file digest: 489712cc1f594ad03958473e8a4c00d0 The MD5 for opensource.gz matched 489712cc1f594ad03958473e8a4c00d0 Cleanup.... removed 0 temporary snort files or directories from /tmp/tha_rules! Blacklist version is unchanged, not updating! Writing /var/log/sid_changes.log.... Done No Rule Changes No IP Blacklist Changes Done Please review /var/log/sid_changes.log for additional details Fly Piggy Fly! *From:*Joel Esler (jesler) [mailto:jesler () cisco com] *Sent:* 02 September 2014 17:53 *To:* Sharif Uddin *Cc:* snort-users () lists sourceforge net *Subject:* Re: [Snort-users] configuring rules Yes. http://manual.snort.org/node53.html -- *Joel Esler* Open Source Manager Threat Intelligence Team Lead TalosOn Sep 2, 2014, at 12:50 PM, Sharif Uddin <Sharif.Uddin () spectrumasa com <mailto:Sharif.Uddin () spectrumasa com>> wrote:Is it possible to have multiple ip addresses instead of just networks in ipvar HOME_NET *From:*Joel Esler (jesler) [mailto:jesler () cisco com] *Sent:*02 September 2014 17:17 *To:*Sharif Uddin*Cc:*snort-users () lists sourceforge net <mailto:snort-users () lists sourceforge net>*Subject:*Re: [Snort-users] configuring rules Dear Sharif,Thanks for your email. I believe you will find what you are looking for here:http://manual.snort.org/node31.html#SECTION00446000000000000000-- *Joel Esler* Open Source Manager Threat Intelligence Team Lead TalosOn Sep 2, 2014, at 12:05 PM, Sharif Uddin <Sharif.Uddin () spectrumasa com <mailto:Sharif.Uddin () spectrumasa com>> wrote:How would I add classification, severity on custom alerts? *From:*Joel Esler (jesler) [mailto:jesler () cisco com] *Sent:*02 September 2014 16:49 *To:*Sharif Uddin*Cc:*snort-users () lists sourceforge net <mailto:snort-users () lists sourceforge net>*Subject:*Re: [Snort-users] configuring rulesIt appears that all of your rules are bi-directional. “<>”. Try making them single directional “->”-- *Joel Esler* Open Source Manager Threat Intelligence Team Lead TalosOn Sep 2, 2014, at 11:41 AM, Sharif Uddin <Sharif.Uddin () spectrumasa com <mailto:Sharif.Uddin () spectrumasa com>> wrote:Hello I needs some help in writing some rules to test my network. I have set up snort, barnyard2, snorby on centos 7 My home network isipvar HOME_NET [172.16.0.0/22,172.16.12.0/24,172.16.13.0/24,31.221.13.192/29,62.49.167.0/29,62.49.167.8/29,192.168.254.0/24,192.168.202.0/24,192.168.218.0/24,10.0.2.0/24,10.0.3.0/24,192.168.15.0/24,172.16.64.0/18,172.16.15.0/24,172.16.16.0/22,10.0.0.0/24,10.0.1.0/24,192.168.252.0/24,172.16.171.0/24,10.40.135.0/24,172.16.8.0/24,172.16.9.0/24,192.168.0.0/24,172.0.0.0/24,105.0.0.0/24,192.168.1.1/24,192.168.224.0/20,212.103.166.96/30]The following are some test rules which I put in local.rulesalert icmp !$HOME_NET any <> $HOME_NET any (msg:"ICMP"; sid: 1000001; rev:1;) # external ping to internal network?alert tcp $HOME_NET any <> $HOME_NET any (content:"|00 01 86 a5|"; msg:"mountd access";sid:1000002;rev:1;) # found a sample online which has not responded to anythingalert tcp !$HOME_NET :139 <> $HOME_NET any (msg:"NetBIOS Session";sid:1000003;rev:1;) # test external ip trying to mountalert tcp !$HOME_NET :445 <> $HOME_NET any (msg:"SMB over TCP";sid:1000004;rev:1;) # test external ip trying to mountHave I written them correctly?For my samba alerts I have found it also includes internal network, when I look at the source port on snorby, its not always 139 or 445. What am I doing wrong?SharifIMPORTANT - This message and any attached files contain information intended for the exclusive use of the party or parties to whom it is addressed and may contain information that is proprietary, privileged, confidential and/or exempt from disclosure under applicable law. If you are not an intended recipient, you are hereby notified that any viewing, copying, disclosure or distribution of this information may be subject to legal restriction or sanction. Please notify the sender immediately and delete the original message without making any copies. Copyright in this email and any attachments belong to Spectrum Geo Limited. We cannot guarantee the security or confidentiality of email communications. We do not accept any liability for losses or damages that you may suffer as a result of your receipt of this email. Email communication with Spectrum Geo Ltd., may be monitored as permitted by UK legislation. Spectrum Geo Limited, is a limited company registered in England and Wales. Registered number: 1979422. Registered office: 95 Aldwych, London WC2B 4JF.------------------------------------------------------------------------------Slashdot TV. Video for Nerds. Stuff that matters. http://tv.slashdot.org/_______________________________________________ Snort-users mailing listSnort-users () lists sourceforge net <mailto:Snort-users () lists sourceforge net>Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-usersPlease visithttp://blog.snort.org <http://blog.snort.org/>to stay current on all the latest Snort news!IMPORTANT - This message and any attached files contain information intended for the exclusive use of the party or parties to whom it is addressed and may contain information that is proprietary, privileged, confidential and/or exempt from disclosure under applicable law. If you are not an intended recipient, you are hereby notified that any viewing, copying, disclosure or distribution of this information may be subject to legal restriction or sanction. Please notify the sender immediately and delete the original message without making any copies. Copyright in this email and any attachments belong to Spectrum Geo Limited. We cannot guarantee the security or confidentiality of email communications. We do not accept any liability for losses or damages that you may suffer as a result of your receipt of this email. Email communication with Spectrum Geo Ltd., may be monitored as permitted by UK legislation. Spectrum Geo Limited, is a limited company registered in England and Wales. Registered number: 1979422. Registered office: 95 Aldwych, London WC2B 4JF.IMPORTANT - This message and any attached files contain information intended for the exclusive use of the party or parties to whom it is addressed and may contain information that is proprietary, privileged, confidential and/or exempt from disclosure under applicable law. If you are not an intended recipient, you are hereby notified that any viewing, copying, disclosure or distribution of this information may be subject to legal restriction or sanction. Please notify the sender immediately and delete the original message without making any copies. Copyright in this email and any attachments belong to Spectrum Geo Limited. We cannot guarantee the security or confidentiality of email communications. We do not accept any liability for losses or damages that you may suffer as a result of your receipt of this email. Email communication with Spectrum Geo Ltd., may be monitored as permitted by UK legislation. Spectrum Geo Limited, is a limited company registered in England and Wales. Registered number: 1979422. Registered office: 95 Aldwych, London WC2B 4JF.IMPORTANT - This message and any attached files contain information intended for the exclusive use of the party or parties to whom it is addressed and may contain information that is proprietary, privileged, confidential and/or exempt from disclosure under applicable law. If you are not an intended recipient, you are hereby notified that any viewing, copying, disclosure or distribution of this information may be subject to legal restriction or sanction. Please notify the sender immediately and delete the original message without making any copies. Copyright in this email and any attachments belong to Spectrum Geo Limited. We cannot guarantee the security or confidentiality of email communications. We do not accept any liability for losses or damages that you may suffer as a result of your receipt of this email. Email communication with Spectrum Geo Ltd., may be monitored as permitted by UK legislation. Spectrum Geo Limited, is a limited company registered in England and Wales. Registered number: 1979422. Registered office: 95 Aldwych, London WC2B 4JF. ------------------------------------------------------------------------------ Slashdot TV. Video for Nerds. Stuff that matters. http://tv.slashdot.org/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------ Slashdot TV. Video for Nerds. Stuff that matters. http://tv.slashdot.org/
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- configuring rules Sharif Uddin (Sep 02)
- Re: configuring rules Joel Esler (jesler) (Sep 02)
- Re: configuring rules Sharif Uddin (Sep 02)
- Re: configuring rules Joel Esler (jesler) (Sep 02)
- Re: configuring rules Sharif Uddin (Sep 02)
- Re: configuring rules Joel Esler (jesler) (Sep 02)
- Re: configuring rules Sharif Uddin (Sep 03)
- Re: configuring rules Y M (Sep 03)
- Re: configuring rules Joel Esler (Sep 03)
- Re: configuring rules Joel Esler (Sep 03)
- Re: configuring rules Sharif Uddin (Sep 03)
- Re: configuring rules Sharif Uddin (Sep 04)
- Re: configuring rules Sharif Uddin (Sep 02)
- Re: configuring rules Joel Esler (jesler) (Sep 02)