Re: Disablesid.conf and classtype

[Juan Camilo Valencia <camilo.valencia13 () gmail com>]

Hi,

We have been doing based on CVE or category, here are some examples. I'm
not completely sure that is te most optimized but works, you can used for
your keyword:

#Regex for look Internet Explorer rules with
attempted-(admin|dos|recon|user) classtype
pcre:(?=.*\bBROWSER-IE\b)(?=.*\battempted-(admin|dos|recon|user)\b)
pcre:(?=.*\bBROWSER-IE\b)(?=.*\bmisc-(activity|attack)\b)
pcre:(?=.*\bBROWSER-IE\b)(?=.*\bweb-application-(activity|attack)\b)
#Regex to enable rules based on VRT-file-multimedia.rules and
attempted-(admin|dos|user)
pcre:(?=.*\bFILE-MULTIMEDIA\b)(?=.*\battempted-(admin|dos)\b)
pcre:(?=.*\bFILE-MULTIMEDIA\b)(?=.*\battempted-user\b)(?=.*\b(apple|adobe|
videolan.org)\b)
#Regex to enable rules in VRT-file-executable.rules based on
FILE-EXECUTABLE and attempted
#(admin|user) and misc-activity
pcre:(?=.*\bFILE-EXECUTABLE\b)(?=.*\battempted-(admin|user)\b)
pcre:(?=.*\bFILE-EXECUTABLE\b)(?=.*\bmisc-activity\b)
#Regex to enable rules on VRT-malware-cnc.rules based on MALWARE-CNC and
trojan-activity.
pcre:(?=.*\bMALWARE-CNC\b)(?=.*\btrojan-activity\b)

I hope that this help you,

Best Regards


On Fri, Feb 21, 2014 at 10:33 AM, SnortFan <SnortFan () yahoo com> wrote:

> Hi All,
>     Is anyone using regular expressions in pulledpork's disablesid.conf
> file to disable rules based on the classtype: of a rule?
>
> If so can you post an example?
>
> Thanks,
> Ed
>
> Sent from a mobile device.
>
> ------------------------------------------------------------------------------
> Managing the Performance of Cloud-Based Applications
> Take advantage of what the Cloud has to offer - Avoid Common Pitfalls.
> Read the Whitepaper.
>
> http://pubads.g.doubleclick.net/gampad/clk?id=121054471&iu=/4140/ostg.clktrk
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!



-- 
JUAN CAMILO VALENCIA VARGAS
Ingeniero de Operaciones
SeguraTec S.A.S
Calle 11 # 43B-50 of 307
Medelllín Colombia

*"Choose a job you love, and you will never have to work a day in your
life"*

------------------------------------------------------------------------------
Managing the Performance of Cloud-Based Applications
Take advantage of what the Cloud has to offer - Avoid Common Pitfalls.
Read the Whitepaper.
http://pubads.g.doubleclick.net/gampad/clk?id=121054471&iu=/4140/ostg.clktrk

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!