Re: Rules and Tuning

[JJ Cummings <cummingsj () gmail com>]

If you are running pulledpork then it sticks all rules in a single file by default... Dig through there and enjoy

Sent from the iRoad

On Aug 14, 2012, at 14:52, Steven Vona <savona () aivila com> wrote:

> Thanks for the help.  But what I really need is a listing of all the rules.  We want to go through the whole list and 
> select what we need enabled and not enabled.  Is this possible?
>
>
> On Tue, Aug 14, 2012 at 11:48 AM, Tony Robinson <trobinson () sourcefire com> wrote:
> To expand on JJ's answer,
>
> This depends on what ruleset you are utilizing, Steve, but at least for the VRT ruleset, there are multiple ways for 
> you to obtain more information for a given rule. If you have the sid number/message, the actual rule (or rule stub in 
> the case of SO rules) will usually have metadata associated with the rule -- MS vulnerability IDs, CVE numbers, as 
> well as links to websites with more information (e.g. links to bugtraq or MS technet, virustotal, etc.)
>
> If you don't want to dig in the .rules files, then, at least for VRT rules, snort.org has a rule search page, that, 
> given a SID, can give you more information on a given rule
> www.snort.org/search
>
> additionally, the downloads page has a file, opensource.gz that has rule documentation available as well.
>
> Hope this helps,
>
> Tony
>
> On Mon, Aug 13, 2012 at 1:42 PM, Steven Vona <savona () aivila com> wrote:
> Is there someplace I can get a list of rules and what they are looking for?  We are getting a ton of alerts and I 
> would like to fine tunes which rules should be active and which rules should be disabled.  I need more information 
> than just the name of the rule.
>
> Thanks,
> Steve
>
>
> ------------------------------------------------------------------------------
> Live Security Virtual Conference
> Exclusive live event will cover all the ways today's security and
> threat landscape has changed and how IT managers can respond. Discussions
> will include endpoint security, mobile security and the latest in malware
> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest Snort news!
>
>
>
> -- 
>
> Tony Robinson
> Security Consultant I
> SourceFIRE Professional Services Division
>
>
>
>
> ------------------------------------------------------------------------------
> Live Security Virtual Conference
> Exclusive live event will cover all the ways today's security and 
> threat landscape has changed and how IT managers can respond. Discussions 
> will include endpoint security, mobile security and the latest in malware 
> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!