Snort mailing list archives
Re: Disablesid.conf and classtype
From: Juan Camilo Valencia <camilo.valencia13 () gmail com>
Date: Fri, 21 Feb 2014 11:52:16 -0500
Hi, We have been doing based on CVE or category, here are some examples. I'm not completely sure that is te most optimized but works, you can used for your keyword: #Regex for look Internet Explorer rules with attempted-(admin|dos|recon|user) classtype pcre:(?=.*\bBROWSER-IE\b)(?=.*\battempted-(admin|dos|recon|user)\b) pcre:(?=.*\bBROWSER-IE\b)(?=.*\bmisc-(activity|attack)\b) pcre:(?=.*\bBROWSER-IE\b)(?=.*\bweb-application-(activity|attack)\b) #Regex to enable rules based on VRT-file-multimedia.rules and attempted-(admin|dos|user) pcre:(?=.*\bFILE-MULTIMEDIA\b)(?=.*\battempted-(admin|dos)\b) pcre:(?=.*\bFILE-MULTIMEDIA\b)(?=.*\battempted-user\b)(?=.*\b(apple|adobe| videolan.org)\b) #Regex to enable rules in VRT-file-executable.rules based on FILE-EXECUTABLE and attempted #(admin|user) and misc-activity pcre:(?=.*\bFILE-EXECUTABLE\b)(?=.*\battempted-(admin|user)\b) pcre:(?=.*\bFILE-EXECUTABLE\b)(?=.*\bmisc-activity\b) #Regex to enable rules on VRT-malware-cnc.rules based on MALWARE-CNC and trojan-activity. pcre:(?=.*\bMALWARE-CNC\b)(?=.*\btrojan-activity\b) I hope that this help you, Best Regards On Fri, Feb 21, 2014 at 10:33 AM, SnortFan <SnortFan () yahoo com> wrote:
Hi All, Is anyone using regular expressions in pulledpork's disablesid.conf file to disable rules based on the classtype: of a rule? If so can you post an example? Thanks, Ed Sent from a mobile device. ------------------------------------------------------------------------------ Managing the Performance of Cloud-Based Applications Take advantage of what the Cloud has to offer - Avoid Common Pitfalls. Read the Whitepaper. http://pubads.g.doubleclick.net/gampad/clk?id=121054471&iu=/4140/ostg.clktrk _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
-- JUAN CAMILO VALENCIA VARGAS Ingeniero de Operaciones SeguraTec S.A.S Calle 11 # 43B-50 of 307 MedelllĂn Colombia *"Choose a job you love, and you will never have to work a day in your life"*
------------------------------------------------------------------------------ Managing the Performance of Cloud-Based Applications Take advantage of what the Cloud has to offer - Avoid Common Pitfalls. Read the Whitepaper. http://pubads.g.doubleclick.net/gampad/clk?id=121054471&iu=/4140/ostg.clktrk
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Disablesid.conf and classtype SnortFan (Feb 21)
- Re: Disablesid.conf and classtype Juan Camilo Valencia (Feb 21)
- Re: Disablesid.conf and classtype Joel Esler (jesler) (Feb 21)
- Re: Disablesid.conf and classtype SnortFan (Feb 26)
- Re: Disablesid.conf and classtype SnortFan (Feb 26)
- Re: Disablesid.conf and classtype Joel Esler (jesler) (Feb 26)
- Re: Disablesid.conf and classtype Joel Esler (jesler) (Feb 21)
- Re: Disablesid.conf and classtype Juan Camilo Valencia (Feb 21)