Re: VRT Rules question

[JJC <cummingsj () gmail com>]

Almost all rules have the category named in the first part of the rule
msg:"BROWSER-IE rule"; kind of thing.. so my suggestion would be to create
a more complex regular expression that has this also in it...

pcre:BROWSER-IE.+MS(0|1)\d-\d+

Note that I didn't test the above but it should give you an idea... then if
you want all BUT within a certain category.. you would do a negative look
behind assertion kinda thing...

JJC


On Wed, Aug 21, 2013 at 2:28 PM, Juan Camilo Valencia <
juan.valencia () seguratec com co> wrote:

> Hi JJC,
>
> Thanks a lot for your quick answer, I tried now and works,  I can enable
> whatever I want based on the pcre feature, what I need to know if is there
> a possibility to be more granular in that? For example, with your
> suggestion (which I appreciate too much), I will activate all the MS00 and
> up Microsoft bulletins but in all the rules downloaded, I don't know if
> with PP I can add another criteria, activate all the MS00 and up Microsoft
> bulletins but just in *browser-ie.rules* only not in the entire ruleset,
> this is because we have a very sensitive network with a lot of data that we
> need to analyze and without that granular control that will be a nightmare.
> Once again thanks a lot for your help and attention, I hope that I
> explained better what I need to achieve.
>
> Best Regards
>
>
> On Wed, Aug 21, 2013 at 9:25 AM, JJC <cummingsj () gmail com> wrote:
>
> > Juan,
> >
> > This is the precise reason that PulledPork supports regular expressions
> > in your enablesid... you will want to craft the appropriate regular
> > expression for each wildcard that you want to enable.
> >
> > For example:
> > pcre:MS(0|1)\d-\d+
> >
> > The above would match anything from MS00 and up.. there are of course
> > different/better ways of doing this, but hopefully this example gets you
> > started (google "pcre" and start learning it, it's an invaluable knowledge
> > anyway).  Given this knowledge you should be able to see how to turn on
> > other rules based on your remaining requirements / criteria.
> >
> > JJC
> >
> >
> > On Wed, Aug 21, 2013 at 7:17 AM, Juan Camilo Valencia <
> > juan.valencia () seguratec com co> wrote:
> >
> > > Hi Guys,
> > >
> > > I think that this couple of questions were answered in the past, or are
> > > in some documentation but in this moment I can't find the answer. Basically
> > > what I Have is the need to activate certain rules based on CVE or MS in
> > > rules but based in a category, for example I want to enable all the CVE
> > > since 2000 to 2012 in os-windows.rules, however when I create the line in
> > > enablesid.conf in PulledPork, it activates for all the rules downloaded.
> > > Is there a way to mix that two criterias, CVE or MS and category?
> > > if not,
> > > have the rules a range in a category based? for example, os-linux.rules
> > > are between 2000 and 3000, os-windows.rules are between 3001 and 4000, etc.
> > >
> > > Because with that I think that I can use pcre and regex to do that.
> > >
> > > Thanks a lot for your time and your advance,
> > >
> > > Best regards from Colombia
> > >
> > > --
> > > JUAN CAMILO VALENCIA VARGAS
> > > Ingeniero de Operaciones
> > > SeguraTec S.A.S
> > > Calle 11 # 43B-50 of 307
> > > Medelllín Colombia
> > >
> > > *“Choose a job you love, and you will never have to work a day in your
> > > life”*
> > >
> > >
> > > ------------------------------------------------------------------------------
> > > Introducing Performance Central, a new site from SourceForge and
> > > AppDynamics. Performance Central is your source for news, insights,
> > > analysis and resources for efficient Application Performance Management.
> > > Visit us today!
> > >
> > > http://pubads.g.doubleclick.net/gampad/clk?id=48897511&iu=/4140/ostg.clktrk
> > > _______________________________________________
> > > Snort-users mailing list
> > > Snort-users () lists sourceforge net
> > > Go to this URL to change user options or unsubscribe:
> > > https://lists.sourceforge.net/lists/listinfo/snort-users
> > > Snort-users list archive:
> > > http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> > >
> > > Please visit http://blog.snort.org to stay current on all the latest
> > > Snort news!
> >
> >
> >
> > ------------------------------------------------------------------------------
> > Introducing Performance Central, a new site from SourceForge and
> > AppDynamics. Performance Central is your source for news, insights,
> > analysis and resources for efficient Application Performance Management.
> > Visit us today!
> >
> > http://pubads.g.doubleclick.net/gampad/clk?id=48897511&iu=/4140/ostg.clktrk
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users () lists sourceforge net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> >
> > Please visit http://blog.snort.org to stay current on all the latest
> > Snort news!
>
>
>
> --
> JUAN CAMILO VALENCIA VARGAS
> Ingeniero de Operaciones
> SeguraTec S.A.S
> Calle 11 # 43B-50 of 307
> Medelllín Colombia
>
> *“Choose a job you love, and you will never have to work a day in your
> life”*
------------------------------------------------------------------------------
Introducing Performance Central, a new site from SourceForge and 
AppDynamics. Performance Central is your source for news, insights, 
analysis and resources for efficient Application Performance Management. 
Visit us today!
http://pubads.g.doubleclick.net/gampad/clk?id=48897511&iu=/4140/ostg.clktrk

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!