Snort.org Blog: Rule Category Reorganization Phase 3

[Joel Esler <jesler () sourcefire com>]

http://blog.snort.org/2012/10/rule-category-reorganization-phase-3.html

Rule Category Reorganization Phase 3


Beginning back in April 2012, the Vulnerability Research Team (VRT) began its Rule Category Reorganization effort to 
realign the rules into an easier to understand category structure.

We are continuing that effort with the VRT’s newest rule release, adding the following categories:

BROWSER-PLUGINS -- This category contains rules that look for, and control, the traffic of certain applications that 
are considered plugins to the browser.  ActiveX as an example.

INDICATOR-SHELLCODE -- This category contains detection for generic shellcode being found in traffic.  This category is 
largely a carry-over from the previous shellcode.rules category.

OS-LINUX -- This category contains detection for vulnerabilities present in the Linux family of Operating Systems.  
Made to be enabled by those users that have any Linux OS on the network.

OS-SOLARIS  -- This category contains detection for vulnerabilities present in the Sun (now Oracle) Solaris OS.  Made 
to be enabled by those users that have any version of Solaris OS on the network.

OS-WINDOWS -- This category contains detection for vulnerabilities present in the Windows family of Operating Systems.  
Made to be enabled by those users that have any version of Windows OS present on the network.  This is mutually 
exclusive of products from Microsoft like Office which is in the FILE-OFFICE category.

OS-OTHER -- This category contains detection for vulnerabilities in other Operating Systems not listed above.  Android, 
AIX, etc.

POLICY-SPAM -- This category contains rules that are specifically tailored to detect spam within emails.  Largely a 
carry-over from the present phishing-spam.rules category.

PROTOCOL-FINGER -- This category contains rules for vulnerabilities that are found or are delivered through the finger 
protocol.

PROTOCOL-FTP -- This category contains rules for vulnerabilities that are found or are delivered through the FTP 
protocol.

PROTOCOL-ICMP -- This category contains rules for vulnerabilities that are found inside, are delivered through, or 
information about the ICMP protocol.  Largely a carry-over from the present icmp.rules and icmp-info.rules categories.

PROCOTOL-IMAP -- This category contains rules for vulnerabilities present inside of or delivered by the ICMP protocol.

PROCOTOL-POP -- This category contains rules for vulnerabilities present inside of or delivered through the POP 
protocols.

PROTOCOL-SERVICES -- This category contains rules for vulnerabilities present inside of, or delivered through the 
"RServices" features.  Largely a carry-over from the present rservices.rules.

PROTOCOL-VOIP -- This category contains rules for vulnerabilities present inside of, or delivered through "VOIP" 
protocols or products.  Largely a carry-over from the present voip.rules categories, but all VOIP related products will 
be consolidated here for easy use.

PUA-ADWARE -- This category contains rules for the detection of Adware found in traffic.  Largely a carry over of the 
present spyware-put.rules category, but falling in line with the naming convention with our other products and for the 
easy consolidation into one category from multiple places.

PUA-OTHER -- This category will contain anything that is considered a "Potentially Unwanted Application" that does not 
fit into the other PUA categories.

SERVER-APACHE -- This category will contain rules for the detection of vulnerabilities present in the Apache Web Server 
family of products.

SERVER-IIS -- This category will contain rules for the detection of vulnerabilities present in the Microsoft IIS family 
of products.

SERVER-MSSQL -- This category will contain rules for the detection of vulnerabilities present in the Microsoft MSSQL 
family of products.

SERVER-MYSQL -- This category will contain rules for the detection of vulnerabilities present in the Oracle MySQL 
family of products.  Largely a carry-over from the present mysql.rules category.

SERVER-ORACLE -- This category will contain rules for the detection of vulnerabilities present in the Oracle Database.  
Largely a carry-over from the present oracle.rules category.

SERVER-WEBAPP -- This category will contain rules for the detection of vulnerabilities present in "Web based 
Applications". 

SERVER-OTHER -- This category will contain rules for the detection of vulnerabilities against servers not otherwise 
listed above.

To include these in your snort.conf please add the following lines to the rule section at the end, if you are using 
pulledpork in it's default mode, you shouldn't need to do anything:

include $RULE_PATH/browser-plugins.rules
include $RULE_PATH/indicator-shellcode.rules
include $RULE_PATH/os-linux.rules
include $RULE_PATH/os-solaris.rules
include $RULE_PATH/os-windows.rules
include $RULE_PATH/os-other.rules
include $RULE_PATH/policy-spam.rules
include $RULE_PATH/protocol-finger.rules
include $RULE_PATH/protocol-ftp.rules
include $RULE_PATH/protocol-icmp.rules
include $RULE_PATH/protocol-imap.rules
include $RULE_PATH/protocol-pop.rules
include $RULE_PATH/protocol-services.rules
include $RULE_PATH/protocol-voip.rules
include $RULE_PATH/pua-adware.rules
include $RULE_PATH/pua-other.rules
include $RULE_PATH/server-apache.rules
include $RULE_PATH/server-iis.rules
include $RULE_PATH/server-mssql.rules
include $RULE_PATH/server-mysql.rules
include $RULE_PATH/server-oracle.rules
include $RULE_PATH/server-other.rules
include $RULE_PATH/server-webapp.rules

Updated default Snort.conf's are here: http://www.snort.org/vrt/snort-conf-configurations/

If you are using the Sourcefire product, PulledPork, or Oinkmaster, the vast majority of you should be unaffected. 
These products will handle the transition just fine. The only way you will be affected using PulledPork (or 
Oinkmaster's related tools) is if you use enablesid.conf or disablesid.conf to enable or disable entire categories of 
rules.

------------------------------------------------------------------------------
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_sfd2d_oct

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!