Re: Disablesid.conf and classtype

["Joel Esler (jesler)" <jesler () cisco com>]

On Feb 26, 2014, at 10:30 AM, SnortFan <SnortFan () yahoo com<mailto:SnortFan () yahoo com>> wrote:

Hi Joel,
    I think I may have found it.  In the pulledpork.conf. I can set the ips_policy.  That will set for me the rule 
policy category mentioned in the article. I could then go back to my enablesid.conf and turn only only the categories 
not included in the ips_policy.

Bingo.

So for example: if I set the ips policy to security and them add the VoIP catagory in my enablesid.conf, I will get:

CVSS score 8 or greater
Age current back 3 years
Rule categories:
Malware-cnc
Blacklist
SQL injection
Exploit kit
App-detect
VoIP

I'm I on track?

Yes.

Also for the VoIP,
Since it's an add on would it activate rules over the age setting older than the policy?

Yes.  You can turn on whatever you want.  That overrides our settings.  We just ship things in this fashion based upon 
the criteria.  You should always adjust your policy to your local network.


--
Joel Esler | Threat Intelligence Team Lead | Open Source Manager | Vulnerability Research Team



Thanks,
Ed

Sent from a mobile device.

On Feb 26, 2014, at 1:05 PM, SnortFan <SnortFan () yahoo com<mailto:SnortFan () yahoo com>> wrote:

Hi Joel,
      I'm a little confused. Are all new rules created being placed into a rule category ?  How do you pull rules bases 
in temporal based concerns? How do I pull rules base on CVSS score?

Right now I'm pulling rules base on categoies using the enablesid.conf in pulledpork and that's probably a lot more 
rules than i need.

Thanks,
Ed

Sent from a mobile device.

On Feb 21, 2014, at 2:39 PM, "Joel Esler (jesler)" <jesler () cisco com<mailto:jesler () cisco com>> wrote:

Perhaps a bit off topic from the original threat, but Juan’s email prompted me about the way he seems to be doing 
things.

Have you seen this?

http://blog.snort.org/2013/10/snort-vrt-default-ruleset-rebalancing.html



--
Joel Esler | Threat Intelligence Team Lead | Open Source Manager | Vulnerability Research Team

On Feb 21, 2014, at 11:52 AM, Juan Camilo Valencia <camilo.valencia13 () gmail com<mailto:camilo.valencia13 () gmail 
com>> wrote:

Hi,

We have been doing based on CVE or category, here are some examples. I'm not completely sure that is te most optimized 
but works, you can used for your keyword:

#Regex for look Internet Explorer rules with attempted-(admin|dos|recon|user) classtype
pcre:(?=.*\bBROWSER-IE\b)(?=.*\battempted-(admin|dos|recon|user)\b)
pcre:(?=.*\bBROWSER-IE\b)(?=.*\bmisc-(activity|attack)\b)
pcre:(?=.*\bBROWSER-IE\b)(?=.*\bweb-application-(activity|attack)\b)
#Regex to enable rules based on VRT-file-multimedia.rules and attempted-(admin|dos|user)
pcre:(?=.*\bFILE-MULTIMEDIA\b)(?=.*\battempted-(admin|dos)\b)
pcre:(?=.*\bFILE-MULTIMEDIA\b)(?=.*\battempted-user\b)(?=.*\b(apple|adobe|videolan.org<http://videolan.org/>)\b)
#Regex to enable rules in VRT-file-executable.rules based on FILE-EXECUTABLE and attempted
#(admin|user) and misc-activity
pcre:(?=.*\bFILE-EXECUTABLE\b)(?=.*\battempted-(admin|user)\b)
pcre:(?=.*\bFILE-EXECUTABLE\b)(?=.*\bmisc-activity\b)
#Regex to enable rules on VRT-malware-cnc.rules based on MALWARE-CNC and trojan-activity.
pcre:(?=.*\bMALWARE-CNC\b)(?=.*\btrojan-activity\b)

I hope that this help you,

Best Regards


On Fri, Feb 21, 2014 at 10:33 AM, SnortFan <SnortFan () yahoo com<mailto:SnortFan () yahoo com>> wrote:
Hi All,
    Is anyone using regular expressions in pulledpork's disablesid.conf file to disable rules based on the classtype: 
of a rule?

If so can you post an example?

Thanks,
Ed

Sent from a mobile device.
------------------------------------------------------------------------------
Managing the Performance of Cloud-Based Applications
Take advantage of what the Cloud has to offer - Avoid Common Pitfalls.
Read the Whitepaper.
http://pubads.g.doubleclick.net/gampad/clk?id=121054471&iu=/4140/ostg.clktrk
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net<mailto:Snort-users () lists sourceforge net>
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org<http://blog.snort.org/> to stay current on all the latest Snort news!



--
JUAN CAMILO VALENCIA VARGAS
Ingeniero de Operaciones
SeguraTec S.A.S
Calle 11 # 43B-50 of 307
Medelllín Colombia

“Choose a job you love, and you will never have to work a day in your life”
------------------------------------------------------------------------------
Managing the Performance of Cloud-Based Applications
Take advantage of what the Cloud has to offer - Avoid Common Pitfalls.
Read the Whitepaper.
http://pubads.g.doubleclick.net/gampad/clk?id=121054471&iu=/4140/ostg.clktrk_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net<mailto:Snort-users () lists sourceforge net>
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org<http://blog.snort.org/> to stay current on all the latest Snort news!

------------------------------------------------------------------------------
Managing the Performance of Cloud-Based Applications
Take advantage of what the Cloud has to offer - Avoid Common Pitfalls.
Read the Whitepaper.
http://pubads.g.doubleclick.net/gampad/clk?id=121054471&iu=/4140/ostg.clktrk
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net<mailto:Snort-users () lists sourceforge net>
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org<http://blog.snort.org/> to stay current on all the latest Snort news!
------------------------------------------------------------------------------
Flow-based real-time traffic analytics software. Cisco certified tool.
Monitor traffic, SLAs, QoS, Medianet, WAAS etc. with NetFlow Analyzer
Customize your own dashboards, set traffic alerts and generate reports.
Network behavioral analysis & security monitoring. All-in-one tool.
http://pubads.g.doubleclick.net/gampad/clk?id=126839071&iu=/4140/ostg.clktrk
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net<mailto:Snort-users () lists sourceforge net>
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org<http://blog.snort.org/> to stay current on all the latest Snort news!

------------------------------------------------------------------------------
Flow-based real-time traffic analytics software. Cisco certified tool.
Monitor traffic, SLAs, QoS, Medianet, WAAS etc. with NetFlow Analyzer
Customize your own dashboards, set traffic alerts and generate reports.
Network behavioral analysis & security monitoring. All-in-one tool.
http://pubads.g.doubleclick.net/gampad/clk?id=126839071&iu=/4140/ostg.clktrk

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!