Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Pulledpork and proprocessor rules

From: SnortFan <SnortFan () yahoo com>
Date: Fri, 24 Jan 2014 09:48:07 -0500
Hi Dave,
      I'm still kinda trying to figure this out as well. What you may try is modify the snort.conf to only enable the 
preprocessor for reputation. Comment the rest out in the snort.conf. So you would still pull down all the preprocessors 
with pulledpork but snort would only activate those two preprocessor rules. Warning, I'm just making an educated guess. 
8-)

Joel?  Does that sound right?

Thanks,
Ed 

Sent from a mobile device. 


On Jan 23, 2014, at 9:43 PM, Dave Corsello <snort-users () wintertreemedia com> wrote:

Hi Ed,

Thanks for your reply.  Maybe I should be more specific in what I want
to do.  I currently have rules enabled by policy.  In addition, I want
to turn on just the two reputation preprocessor rules, 1:136 and 2:136. 
I don't see a way to accomplish that with the categories that you
provided.  What am I missing?

--Dave


On 1/23/2014 3:47 PM, SnortFan wrote:
Here is the list as best as I can tell from what's in the snort rules file. When I place them into the 
enablesid.conf file and pull I get the mother load of rules. I don't recommend turning them all on. 

app-detect
blacklist
browser-chrome
browser-firefox
browser-ie
browser-other
browser-plugins
browser-webkit
content-replace
decoder
dos
exploit-kit
file-executable
file-flash
file-identify
file-image
file-java
file-multimedia
file-office
file-other
file-pdf
indicator-compromise
indicator-obfuscation
indicator-scan
indicator-shellcode
malware-backdoor
malware-cnc
malware-other
malware-tools
netbios
os-linux
os-mobile
os-other
os-solaris
os-windows
policy-multimedia
policy-other
policy-social
policy-spam
preprocessor
protocol-dns
protocol-finger
protocol-ftp
protocol-icmp
protocol-imap
protocol-nntp
protocol-pop
protocol-rpc
protocol-scada
protocol-services
protocol-snmp
protocol-telnet
protocol-tftp
protocol-voip
pua-adware
pua-other
pua-p2p
pua-toolbars
server-apache
server-iis
server-mail
server-mssql
server-mysql
server-oracle
server-other
server-samba
server-webapp
sql
x11

Sent from a mobile device. 


On Jan 23, 2014, at 8:44 AM, SnortFan <SnortFan () yahoo com> wrote:

Hi Dave,
  It looks like it pulls them down and places them in the snort.rule file. I don't see where it replaces the 
gen-msg.map file but if you search in the snort.rules file for one of the gid's you should see them. 

Cheers,
Ed

Sent from a mobile device. 


On Jan 23, 2014, at 7:43 AM, Dave Corsello <snort-users () wintertreemedia com> wrote:

I thought this would be a pretty basic question, but I haven't been able
to locate an answer yet.  How do you enable proproc rules in
pulledpork?  I tried adding "1:136,2:136" to enablesid.conf, but it
didn't work.

------------------------------------------------------------------------------
CenturyLink Cloud: The Leader in Enterprise Cloud Services.
Learn Why More Businesses Are Choosing CenturyLink Cloud For
Critical Workloads, Development Environments & Everything In Between.
Get a Quote or Start a Free Trial Today. 
http://pubads.g.doubleclick.net/gampad/clk?id=119420431&iu=/4140/ostg.clktrk
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

------------------------------------------------------------------------------
CenturyLink Cloud: The Leader in Enterprise Cloud Services.
Learn Why More Businesses Are Choosing CenturyLink Cloud For
Critical Workloads, Development Environments & Everything In Between.
Get a Quote or Start a Free Trial Today. 
http://pubads.g.doubleclick.net/gampad/clk?id=119420431&iu=/4140/ostg.clktrk
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!



------------------------------------------------------------------------------
CenturyLink Cloud: The Leader in Enterprise Cloud Services.
Learn Why More Businesses Are Choosing CenturyLink Cloud For
Critical Workloads, Development Environments & Everything In Between.
Get a Quote or Start a Free Trial Today. 
http://pubads.g.doubleclick.net/gampad/clk?id=119420431&iu=/4140/ostg.clktrk
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!


------------------------------------------------------------------------------
CenturyLink Cloud: The Leader in Enterprise Cloud Services.
Learn Why More Businesses Are Choosing CenturyLink Cloud For
Critical Workloads, Development Environments & Everything In Between.
Get a Quote or Start a Free Trial Today. 
http://pubads.g.doubleclick.net/gampad/clk?id=119420431&iu=/4140/ostg.clktrk
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: