Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: some question about snort rules

From: JJC <cummingsj () gmail com>
Date: Wed, 17 Aug 2011 08:13:00 -0600
You can also use the references that are listed... lookup the CVE / Bugtraq
info.. also a pretty good bet that most rules that have an MSXX-XXXX
reference are MSFT related..

JJC

On Wed, Aug 17, 2011 at 7:21 AM, Joel Esler <jesler () sourcefire com> wrote:


Take a look at web-cgi, web-client, web-misc for apache.  Windows
vulnerabilities are all over the place.  (Netbios, web-client, botnet-cnc,
blacklist, web-misc.. etc)

Incidentally, we are currently in a project to redesign the entire VRT
ruleset solving the exact problem you are describing below.  We should have
something to announce soon over on the VRT blog http://blog.snort.org

We are in the final design stages and will open it up for comments soon.

Joel


On Aug 17, 2011, at 7:32 AM, Zhuxian wrote:


For the VRT rules,  how i know which rules related to which OS, such as

windows, Suse? I have not found any attribute in the rule to indicate it is
windows related or not.


And for the Apache, how i know which rules related to Apache? I can't

find any rule file named apache.rules.  Do you means i should enable all
rules in web-**.rules files?





-----Original Message-----
From: Jason Wallace [mailto:jason.r.wallace () gmail com]
Sent: Thursday, August 04, 2011 8:44 PM
To: Zhuxian
Cc: snort-sigs () lists sourceforge net; Likun
Subject: Re: [Snort-sigs] same question about snort rules

On Wed, Aug 3, 2011 at 11:53 PM, Zhuxian <zhuxian () huawei com> wrote:

1. Does snort provide the test tools and test model to test

these rules? Or is there any suggested tools to test these rules?

  If snort does not provide, does SourceFire provide?



I do not know of any testing tools related to to snort rules
in general. What type of testing are you looking for?


2. Some rules are commented in rules file released by snort.

Does this means these are the default rules setting for snort?
Is their any references or guides for the customer to tune the
rule set?




The rules are broken up into three policy groups Connectivity,
Balanced, and Security. Take a look at...


http://code.google.com/p/pulledpork/source/browse/trunk/doc/REA
DME.RULESET

For a high level view of these policies. I'm not sure what
policy the default state of the rules is tied to. If you use a
rule management tool that can use theses policy settings, like
pulledpork, then it will enable/disable rules based on what
policy you choose. These policies are just a starting point.
What you run for rules depends on what you are trying to
protect. If you are not running Windows servers, you can turn
off all the windows related rules. If you are running Apache,
then you probably want to turn those rule on. Even then you
want to be specific about what rules you enable. Just because
you are running Apache doesn't mean you need to run all the
Apache related rules. If you are running an older version of
Apache you would need to run more rules than if it were the
current version of Apache.
What rules you enable should be tied to what OS you are using,
what applications/services you want to protect, and what
vulnerabilities those OS's and apps/services have. There are
also more general rules that look for things like malware and
policy violations. Whether or not you enable those rules
depends on what you do or do not allow in your environment.

For general tuning information look at some of the webcasts at
snort.org...

http://www.snort.org/community/snort-webcast-series/



Regards,
Kurtzhu




----------------------------------------------------------------------

-------- BlackBerry&reg; DevCon Americas, Oct. 18-20, San Francisco,
CA The must-attend event for mobile developers. Connect with experts.
Get tools for creating Super Apps. See the latest technologies.
Sessions, hands-on labs, demos & much more. Register early & save!
http://p.sf.net/sfu/rim-blackberry-1
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org






------------------------------------------------------------------------------

Get a FREE DOWNLOAD! and learn more about uberSVN rich system,
user administration capabilities and model configuration. Take
the hassle out of deploying and managing Subversion and the
tools developers use with it. http://p.sf.net/sfu/wandisco-d2d-2
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!




------------------------------------------------------------------------------
Get a FREE DOWNLOAD! and learn more about uberSVN rich system,
user administration capabilities and model configuration. Take
the hassle out of deploying and managing Subversion and the
tools developers use with it. http://p.sf.net/sfu/wandisco-d2d-2
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!


------------------------------------------------------------------------------
Get a FREE DOWNLOAD! and learn more about uberSVN rich system, 
user administration capabilities and model configuration. Take 
the hassle out of deploying and managing Subversion and the 
tools developers use with it. http://p.sf.net/sfu/wandisco-d2d-2
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!
Previous By Date Next
Previous By Thread Next

Current thread: