Snort mailing list archives
Re: Enabling Only Applicable Rules
From: Marcin Dulak <marcin.dulak () gmail com>
Date: Sun, 14 May 2017 13:33:19 +0200
Register at snort.org to obtain the free snortrules-snapshot-*.tar.gz which contains rules divided into categories. Then use pulledpork to select the desired category + additional rules. For example, on CentOS7: Pulledpork is installed with: yum -y install pulledpork After the installation of Pulledpork: 0. mkdir -p /etc/snort/rules/iplists 1. insert your oinkcode in /etc/pulledpork/pulledpork.conf 2. disable community-rules.tar.gz in /etc/pulledpork/pulledpork.conf 3. change the order Pulledpork operations to: state_order=disable,drop,enable in /etc/pulledpork/pulledpork.conf Pulledpork writes the rules on CentOS by default to /etc/snort/rules/snort.rules. In order to create or update /etc/snort/rules/snort.rules do: 4. Disable all rules: echo pcre:. >> /etc/pulledpork/disablesid.conf 5. Enable selected categories and rules: echo server-apache >> /etc/pulledpork/enablesid.conf echo pcre:'OpenSSL' >> /etc/pulledpork/enablesid.conf echo pcre:' cipher' >> /etc/pulledpork/enablesid.conf echo pcre:'rule-type decode' >> /etc/pulledpork/enablesid.conf echo '139:1-139:9999' >> /etc/pulledpork/enablesid.conf 6. One could replace HTTP_PORTS rules with a custom MY_HTTP_PORTS set on top of snort.conf echo '* "\$HOME_NET \$HTTP_PORTS " "$HOME_NET $MY_HTTP_PORTS "' >> /etc/pulledpork/modifysid.conf 7. Here is how one could disable specific rules (this way works only for gid:1): echo '* ".*freakattack.*" ""' >> /etc/pulledpork/modifysid.conf echo '* ".*sid:28205.*" ""' >> /etc/pulledpork/modifysid.conf 8. generate new /etc/snort/rules/snort.rules with: pulledpork -PE -c /etc/pulledpork/pulledpork.conf Marcin On Sat, May 13, 2017 at 2:32 AM, bobby <architectofthefuture () gmail com> wrote:
I am running snort, and have the community rules. If I am running the HTTP service, how do I locate the rules that I need to activate/that apply to me? Do I just do a ls | grep ' HTTP ' on the rules? What is the best way to do this since there are thousands and thousands of rule sets? How does one go about customizing the rules to ones' network? ------------------------------------------------------------ ------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Enabling Only Applicable Rules bobby (May 12)
- Re: Enabling Only Applicable Rules Marcin Dulak (May 14)
- Message not available
- Re: Enabling Only Applicable Rules Marcin Dulak (Jun 06)
- Re: Enabling Only Applicable Rules bobby (Jun 06)
- Re: Enabling Only Applicable Rules Marcin Dulak (Jun 06)
- Message not available
- Re: Enabling Only Applicable Rules Marcin Dulak (May 14)