Re: How to activate all rules using PulledPork?

[SnortFan <SnortFan () yahoo com>]

Hi Michael,  
    You can have the file sit there if you'd like, you just have to have the reference uncommented and correctly 
defined in your pulledpork.conf. 

Here is my list:


app-detect
blacklist
browser-chrome
browser-firefox
browser-ie
browser-other
browser-plugins
browser-webkit
content-replace
decoder
dos
exploit-kit
file-executable
file-flash
file-identify
file-image
file-java
file-multimedia
file-office
file-other
file-pdf
indicator-compromise
indicator-obfuscation
indicator-scan
indicator-shellcode
malware-backdoor
malware-cnc
malware-other
malware-tools
netbios
os-linux
os-mobile
os-other
os-solaris
os-windows
policy-multimedia
policy-other
policy-social
policy-spam
preprocessor
protocol-dns
protocol-finger
protocol-ftp
protocol-icmp
protocol-imap
protocol-nntp
protocol-pop
protocol-rpc
protocol-scada
protocol-services
protocol-snmp
protocol-telnet
protocol-tftp
protocol-voip
pua-adware
pua-other
pua-p2p
pua-toolbars
server-apache
server-iis
server-mail
server-mssql
server-mysql
server-oracle
server-other
server-samba
server-webapp
sql
x11


If you want you can disable by placing a # in front of any line. So #x11 would disable pulledpork from enabling the x11 
rules. 

Note:  the category is not the same a class type.  I've seen multiple class types lumped into a catagory. 

Before you add them and do a pull, do a line count of uncommented lines in your snort.rules file. Then do the same 
after. 

Enjoy,
Ed 

Sent from a mobile device. 

> On Feb 23, 2014, at 8:11 PM, "Michael Steele" <michaels () winsnort com> wrote:
>
> All I do is add the attached enablesid.conf to the pulledpork/etc folder?
>  
> Is the list correct format?
>  
> Michael...
>  
> From: SnortFan [mailto:SnortFan () yahoo com] 
> Sent: Thursday, February 20, 2014 7:29 PM
> To: Michael Steele
> Cc: <snort-users () lists sourceforge net>
> Subject: Re: [Snort-users] How to activate all rules using PulledPork?
>  
> If your talking about all those commented out rules that pulled pork leaves in the snort.rules file, try adding the 
> snort rules categories in the enablesid file.  
>  
> If you need a list of the categories, their names are in the snort.rules file or I can find it in one of my emails to 
> the forum.
>  
> Cheers,
> Ed
>
> Sent from a mobile device. 
>
> On Feb 20, 2014, at 2:14 PM, "Michael Steele" <michaels () winsnort com> wrote:
>
> I've been trying to get PulledPork to enable all rules, and so far all help has stalled in the PulledPork Google 
> Groups.
>  
> I'm told by JJ that it is possible, and he has instructed me to add add <PCRE wildcard "."> (everything between the 
> <>) to the enablesid.conf, and all the alerts would be activated.
>  
> I’m having no problems processing rules any one of the three IP_Policy settings
>  
> Hopefully someone has a solution to this?
>  
> Here is my pulledpork.conf:
>  
> # Config file for pulledpork
> rule_url=https://www.snort.org/reg-rules/|snortrules-snapshot.tar.gz|<REDACTED>
> rule_url=https://s3.amazonaws.com/snort-org/www/rules/community/|community-rules.tar.gz|Community
> rule_url=http://labs.snort.org/feeds/ip-filter.blf|IPBLACKLIST|open
> rule_url=https://www.snort.org/reg-rules/|opensource.gz|<REDACTED>
> temp_path=d:\winids\pulledpork\temp
> rule_path=d:\winids\snort\rules\winids.rules
> local_rules=d:\winids\snort\rules\local.rules
> sid_msg=d:\winids\snort\etc\sid-msg.map
> sid_msg_version=1
> sid_changelog=d:\winids\snort\log\sid_changes.log
> sorule_path=/usr/local/lib/snort_dynamicrules/
> snort_path=/usr/local/bin/snort
> config_path=/usr/local/etc/snort/snort.conf
> distro=FreeBSD-8.1
> docs=d:\winids\Apache24\htdocs\base\signatures\
> snort_version=2.9.5.6
> enablesid=d:\winids\pulledpork\etc\enablesid.conf
> dropsid=d:\winids\pulledpork\etc\dropsid.conf
> disablesid=d:\winids\pulledpork\etc\disablesid.conf
> modifysid=d:\winids\pulledpork\etc\modifysid.conf
> ips_policy=security
> version=0.7.0
>  
>  
> Here is my enablesid.conf:
>  
> # example enablesid.conf v3.1
> PCRE wildcard "."
>  
> Here is my run line:
>  
> pulledpork.pl -c d:\winids\pulledpork\etc\pulledpork.conf -vT
>  
> TIA...
> Michael...
> ------------------------------------------------------------------------------
> Managing the Performance of Cloud-Based Applications
> Take advantage of what the Cloud has to offer - Avoid Common Pitfalls.
> Read the Whitepaper.
> http://pubads.g.doubleclick.net/gampad/clk?id=121054471&iu=/4140/ostg.clktrk
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest Snort news!
> <enablesid.conf>
------------------------------------------------------------------------------
Flow-based real-time traffic analytics software. Cisco certified tool.
Monitor traffic, SLAs, QoS, Medianet, WAAS etc. with NetFlow Analyzer
Customize your own dashboards, set traffic alerts and generate reports.
Network behavioral analysis & security monitoring. All-in-one tool.
http://pubads.g.doubleclick.net/gampad/clk?id=126839071&iu=/4140/ostg.clktrk

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!