Snort mailing list archives

Re: configuring rules

From: Sharif Uddin <Sharif.Uddin () spectrumasa com>
Date: Thu, 4 Sep 2014 09:49:03 +0000

I worked out what was wrong, I had the wrong distro selected.




*         Assuming pulledpork over writes snort.rules file everytime there is a update?

*         If I overwrite one of these rules, place in another file or enable it, which one will take precedence over 
the other?

*         Is it possible fo rpulledpork to place them in the original files?


From: Sharif Uddin [mailto:Sharif.Uddin () spectrumasa com]
Sent: 03 September 2014 15:34
To: Joel Esler; Y M
Cc: snort-users
Subject: Re: [Snort-users] configuring rules

Oink code changed

steps I took

I got latest vrt file and installed them.

Then I followed this guide

http://www.rivy.org/2013/03/updating-snort-rules-using-pulled-pork/

below is pulledpork.conf


rule_url=https://www.snort.org/reg-rules/|snortrules-snapshot.tar.gz|oink
rule_url=https://s3.amazonaws.com/snort-org/www/rules/community/|community-rules.tar.gz|Community
rule_url=http://labs.snort.org/feeds/ip-filter.blf|IPBLACKLIST|open
rule_url=https://www.snort.org/reg-rules/|opensource.gz|oink
ignore
temp_path=/tmp
rule_path=/etc/snort/rules/snort.rules
local_rules=/etc/snort/rules/local.rules
sid_msg=/etc/snort/sid-msg.map
sid_msg_version=1
sid_changelog=/var/log/sid_changes.log
sorule_path=/usr/local/lib/snort_dynamicrules/
snort_path=/usr/local/bin/snort
config_path=/etc/snort/snort.conf
distro=RHEL-6-0
black_list=/etc/snort/rules/iplists/default.blacklist
IPRVersion=/etc/snort/rules/iplists
snort_control=/usr/local/bin/snort_control
pid_path=/var/run/snort_end34.pid

# Here you can specify what rule modification files to run automatically.
# simply uncomment and specify the apt path.
# enablesid=/usr/local/etc/snort/enablesid.conf
# dropsid=/usr/local/etc/snort/dropsid.conf
# disablesid=/usr/local/etc/snort/disablesid.conf
# modifysid=/usr/local/etc/snort/modifysid.conf
version=0.7.0



theres no files under rules folder so I have to create empty ones or else snort will not start up.

However there is

[root@snort snort]# ll rules/
total 24
drwxr-xr-x 2 snort snort    30 Sep  3 14:25 iplists
-rw-r--r-- 1 snort snort    10 Sep  3 15:31 iplistsIPRVersion.dat
-rw-r--r-- 1  1210  1210 19574 Aug 27 21:02 VRT-License.txt

And

[root@snort snort]# ll rules/iplists
total 32
-rw-r--r-- 1 snort snort 28713 Sep  3 15:31 default.blacklist


From: Joel Esler [mailto:jesler () cisco com]
Sent: 03 September 2014 15:25
To: Y M; Sharif Uddin
Cc: snort-users
Subject: Re: [Snort-users] configuring rules

Your rule file should be here:

/etc/snort/rules/snort.rules

According to the dump you posted below.


--
Joel Esler
Open Source Manager
Threat Intelligence Team Lead
Talos
On 9/3/14 10:22 AM, Y M wrote:
I highly recommend that you go ahead and change your oinkcode (like right now), do not post it in public!

To answer your questions:

- It depends on how you configure PulledPork: either all to one file (snort.rules) or you copy over the individual 
rules files. PulledPork handles all of that.
- If you do not do the modification in PulledPork's modifysid.conf, then all of your changes will get overwritten.
- We will need to see how you are configuring PulledPork (minus your oinkcode).

YM
________________________________
From: Sharif.Uddin () spectrumasa com<mailto:Sharif.Uddin () spectrumasa com>
To: jesler () cisco com<mailto:jesler () cisco com>
Date: Wed, 3 Sep 2014 14:10:08 +0000
CC: snort-users () lists sourceforge net<mailto:snort-users () lists sourceforge net>
Subject: Re: [Snort-users] configuring rules

I have set up pulled pork and would like to know



*         where all the rules get written to

*         what happens if I modify one of these rules and run the command again

*         why when I empty the rules folder and run the pulledpork command the folder is still empty







[root@snort snort]# pulledpork.pl -c /etc/pulledpork/pulledpork.conf -vv



    http://code.google.com/p/pulledpork/

      _____ ____

     `----,\    )

      `--==\\  /    PulledPork v0.7.0 - Swine Flu!

       `--==\\/

     .-~~~~-.Y|\\_  Copyright (C) 2009-2013 JJ Cummings

  @_/        /  66\_  cummingsj () gmail com<mailto:cummingsj () gmail com>

    |    \   \   _(")

     \   /-| ||'--'  Rules give me wings!

      \_\  \_\\

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~



Config File Variable Debug /etc/pulledpork/pulledpork.conf

        snort_path = /usr/local/bin/snort

        black_list = /etc/snort/rules/iplists/default.blacklist

        pid_path = /var/run/snort_end34.pid

        IPRVersion = /etc/snort/rules/iplists

        rule_path = /etc/snort/rules/snort.rules

        ignore = deleted.rules,experimental.rules,local.rules

        snort_control = /usr/local/bin/snort_control

        rule_url = ARRAY(0x30e8720)

        sid_msg_version = 1

        sid_changelog = /var/log/sid_changes.log

        sid_msg = /etc/snort/sid-msg.map

        config_path = /etc/snort/snort.conf

        temp_path = /tmp

        distro = RHEL-6-0

        version = 0.7.0

        sorule_path = /usr/local/lib/snort_dynamicrules/

        local_rules = /etc/snort/rules/local.rules

MISC (CLI and Autovar) Variable Debug:

        arch Def is: x86-64

        Config Path is: /etc/pulledpork/pulledpork.conf

        Distro Def is: RHEL-6-0

        Disabled policy specified

        local.rules path is: /etc/snort/rules/local.rules

        Rules file is: /etc/snort/rules/snort.rules

        sid changes will be logged to: /var/log/sid_changes.log

        sid-msg.map Output Path is: /etc/snort/sid-msg.map

        Snort Version is: 2.9.6.2

        Snort Config File: /etc/snort/snort.conf

        Snort Path is: /usr/local/bin/snort

        SO Output Path is: /usr/local/lib/snort_dynamicrules/

        Will process SO rules

        Extra Verbose Flag is Set

        Verbose Flag is Set

        Base URL is: 
https://www.snort.org/reg-rules/|snortrules-snapshot.tar.gz|bc79ebef13822d894e68f63ee3e46916dc684d82 
https://s3.amazonaws.com/snort-org/www/rules/community/|community-rules.tar.gz|Community 
http://labs.snort.org/feeds/ip-filter.blf|IPBLACKLIST|open 
https://www.snort.org/reg-rules/|opensource.gz|bc79ebef13822d894e68f63ee3e46916dc684d82





MY HTTPS PROXY = http://proxy:3128





MY HTTP PROXY = http://proxy:3128

Checking latest MD5 for snortrules-snapshot-2962.tar.gz....

        Fetching md5sum for: snortrules-snapshot-2962.tar.gz.md5

** GET https://www.snort.org/reg-rules/snortrules-snapshot-2962.tar.gz.md5/bc79ebef13822d894e68f63ee3e46916dc684d82 ==> 
200 OK (1s)

        most recent rules file digest: 89727bcdc8e13597e20f98a8cf1922c6

        current local rules file  digest: 89727bcdc8e13597e20f98a8cf1922c6

        The MD5 for snortrules-snapshot-2962.tar.gz matched 89727bcdc8e13597e20f98a8cf1922c6



Checking latest MD5 for community-rules.tar.gz....

        Fetching md5sum for: community-rules.tar.gz.md5

** GET https://s3.amazonaws.com/snort-org/www/rules/community/community-rules.tar.gz.md5 ==> 200 OK

        most recent rules file digest: 9da58f33a7d70a15ec4783846a26215b

        current local rules file  digest: 9da58f33a7d70a15ec4783846a26215b

        The MD5 for community-rules.tar.gz matched 9da58f33a7d70a15ec4783846a26215b



IP Blacklist download of http://labs.snort.org/feeds/ip-filter.blf....

** GET http://labs.snort.org/feeds/ip-filter.blf ==> 200 OK

        Reading IP List...

Checking latest MD5 for opensource.gz....

        Fetching md5sum for: opensource.gz.md5

** GET https://www.snort.org/reg-rules/opensource.gz.md5/bc79ebef13822d894e68f63ee3e46916dc684d82 ==> 200 OK

        most recent rules file digest: 489712cc1f594ad03958473e8a4c00d0

        current local rules file  digest: 489712cc1f594ad03958473e8a4c00d0

        The MD5 for opensource.gz matched 489712cc1f594ad03958473e8a4c00d0



Cleanup....

        removed 0 temporary snort files or directories from /tmp/tha_rules!

Blacklist version is unchanged, not updating!

Writing /var/log/sid_changes.log....

        Done



No Rule Changes



No IP Blacklist Changes



Done

Please review /var/log/sid_changes.log for additional details

Fly Piggy Fly!



From: Joel Esler (jesler) [mailto:jesler () cisco com]
Sent: 02 September 2014 17:53
To: Sharif Uddin
Cc: snort-users () lists sourceforge net<mailto:snort-users () lists sourceforge net>
Subject: Re: [Snort-users] configuring rules



Yes.



http://manual.snort.org/node53.html



--
Joel Esler
Open Source Manager
Threat Intelligence Team Lead
Talos



On Sep 2, 2014, at 12:50 PM, Sharif Uddin <Sharif.Uddin () spectrumasa com<mailto:Sharif.Uddin () spectrumasa com>> 
wrote:



Is it possible to have multiple ip addresses instead of just networks in



ipvar HOME_NET



From: Joel Esler (jesler) [mailto:jesler () cisco com]
Sent: 02 September 2014 17:17
To: Sharif Uddin
Cc: snort-users () lists sourceforge net<mailto:snort-users () lists sourceforge net>
Subject: Re: [Snort-users] configuring rules



Dear Sharif,

Thanks for your email.  I believe you will find what you are looking for 
here:http://manual.snort.org/node31.html#SECTION00446000000000000000



--
Joel Esler
Open Source Manager
Threat Intelligence Team Lead
Talos





On Sep 2, 2014, at 12:05 PM, Sharif Uddin <Sharif.Uddin () spectrumasa com<mailto:Sharif.Uddin () spectrumasa com>> 
wrote:



How would I add classification, severity on custom alerts?







From: Joel Esler (jesler) [mailto:jesler () cisco com]
Sent: 02 September 2014 16:49
To: Sharif Uddin
Cc: snort-users () lists sourceforge net<mailto:snort-users () lists sourceforge net>
Subject: Re: [Snort-users] configuring rules



It appears that all of your rules are bi-directional.  "<>".  Try making them single directional "->"



--
Joel Esler
Open Source Manager
Threat Intelligence Team Lead
Talos



On Sep 2, 2014, at 11:41 AM, Sharif Uddin <Sharif.Uddin () spectrumasa com<mailto:Sharif.Uddin () spectrumasa com>> 
wrote:



Hello





I needs some help in writing some rules to test my network.





I have set up snort, barnyard2, snorby on centos 7





My home network is



ipvar HOME_NET 
[172.16.0.0/22,172.16.12.0/24,172.16.13.0/24,31.221.13.192/29,62.49.167.0/29,62.49.167.8/29,192.168.254.0/24,192.168.202.0/24,192.168.218.0/24,10.0.2.0/24,10.0.3.0/24,192.168.15.0/24,172.16.64.0/18,172.16.15.0/24,172.16.16.0/22,10.0.0.0/24,10.0.1.0/24,192.168.252.0/24,172.16.171.0/24,10.40.135.0/24,172.16.8.0/24,172.16.9.0/24,192.168.0.0/24,172.0.0.0/24,105.0.0.0/24,192.168.1.1/24,192.168.224.0/20,212.103.166.96/30]







The following are some test rules which I put in local.rules





alert icmp !$HOME_NET any <> $HOME_NET any (msg:"ICMP"; sid: 1000001; rev:1;) # external ping to internal network?

alert tcp $HOME_NET any <> $HOME_NET any (content:"|00 01 86 a5|"; msg:"mountd access";sid:1000002;rev:1;)  # found a 
sample online which has not responded to anything

alert tcp !$HOME_NET :139 <> $HOME_NET any (msg:"NetBIOS Session";sid:1000003;rev:1;) # test external ip trying to mount

alert tcp !$HOME_NET :445 <> $HOME_NET any (msg:"SMB over TCP";sid:1000004;rev:1;) # test external ip trying to mount





Have I written them correctly?





For my samba alerts I have found it also includes internal network, when I look at the source port on snorby, its not 
always 139 or 445. What am I doing wrong?







Sharif





IMPORTANT - This message and any attached files contain information intended for the exclusive use of the party or 
parties to whom it is addressed and may contain information that is proprietary, privileged, confidential and/or exempt 
from disclosure under applicable law. If you are not an intended recipient, you are hereby notified that any viewing, 
copying, disclosure or distribution of this information may be subject to legal restriction or sanction. Please notify 
the sender immediately and delete the original message without making any copies. Copyright in this email and any 
attachments belong to Spectrum Geo Limited.
We cannot guarantee the security or confidentiality of email communications. We do not accept any liability for losses 
or damages that you may suffer as a result of your receipt of this email.
Email communication with Spectrum Geo Ltd., may be monitored as permitted by UK legislation.
Spectrum Geo Limited, is a limited company registered in England and Wales. Registered number: 1979422. Registered 
office: 95 Aldwych, London WC2B 4JF. ------------------------------------------------------------------------------
Slashdot TV.
Video for Nerds.  Stuff that matters.
http://tv.slashdot.org/_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net<mailto:Snort-users () lists sourceforge net>
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org<http://blog.snort.org/> to stay current on all the latest Snort news!



IMPORTANT - This message and any attached files contain information intended for the exclusive use of the party or 
parties to whom it is addressed and may contain information that is proprietary, privileged, confidential and/or exempt 
from disclosure under applicable law. If you are not an intended recipient, you are hereby notified that any viewing, 
copying, disclosure or distribution of this information may be subject to legal restriction or sanction. Please notify 
the sender immediately and delete the original message without making any copies. Copyright in this email and any 
attachments belong to Spectrum Geo Limited.
We cannot guarantee the security or confidentiality of email communications. We do not accept any liability for losses 
or damages that you may suffer as a result of your receipt of this email.
Email communication with Spectrum Geo Ltd., may be monitored as permitted by UK legislation.
Spectrum Geo Limited, is a limited company registered in England and Wales. Registered number: 1979422. Registered 
office: 95 Aldwych, London WC2B 4JF.



IMPORTANT - This message and any attached files contain information intended for the exclusive use of the party or 
parties to whom it is addressed and may contain information that is proprietary, privileged, confidential and/or exempt 
from disclosure under applicable law. If you are not an intended recipient, you are hereby notified that any viewing, 
copying, disclosure or distribution of this information may be subject to legal restriction or sanction. Please notify 
the sender immediately and delete the original message without making any copies. Copyright in this email and any 
attachments belong to Spectrum Geo Limited.
We cannot guarantee the security or confidentiality of email communications. We do not accept any liability for losses 
or damages that you may suffer as a result of your receipt of this email.
Email communication with Spectrum Geo Ltd., may be monitored as permitted by UK legislation.
Spectrum Geo Limited, is a limited company registered in England and Wales. Registered number: 1979422. Registered 
office: 95 Aldwych, London WC2B 4JF.



IMPORTANT - This message and any attached files contain information intended for the exclusive use of the party or 
parties to whom it is addressed and may contain information that is proprietary, privileged, confidential and/or exempt 
from disclosure under applicable law. If you are not an intended recipient, you are hereby notified that any viewing, 
copying, disclosure or distribution of this information may be subject to legal restriction or sanction. Please notify 
the sender immediately and delete the original message without making any copies. Copyright in this email and any 
attachments belong to Spectrum Geo Limited.
We cannot guarantee the security or confidentiality of email communications. We do not accept any liability for losses 
or damages that you may suffer as a result of your receipt of this email.
Email communication with Spectrum Geo Ltd., may be monitored as permitted by UK legislation.
Spectrum Geo Limited, is a limited company registered in England and Wales. Registered number: 1979422. Registered 
office: 95 Aldwych, London WC2B 4JF.
------------------------------------------------------------------------------ Slashdot TV. Video for Nerds. Stuff that 
matters. http://tv.slashdot.org/
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge 
net<mailto:Snort-users () lists sourceforge net> Go to this URL to change user options or unsubscribe: 
https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: 
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current 
on all the latest Snort news!


IMPORTANT - This message and any attached files contain information intended for the exclusive use of the party or 
parties to whom it is addressed and may contain information that is proprietary, privileged, confidential and/or exempt 
from disclosure under applicable law. If you are not an intended recipient, you are hereby notified that any viewing, 
copying, disclosure or distribution of this information may be subject to legal restriction or sanction. Please notify 
the sender immediately and delete the original message without making any copies. Copyright in this email and any 
attachments belong to Spectrum Geo Limited.
We cannot guarantee the security or confidentiality of email communications. We do not accept any liability for losses 
or damages that you may suffer as a result of your receipt of this email.
Email communication with Spectrum Geo Ltd., may be monitored as permitted by UK legislation.
Spectrum Geo Limited, is a limited company registered in England and Wales. Registered number: 1979422. Registered 
office: 95 Aldwych, London WC2B 4JF.

IMPORTANT - This message and any attached files contain information intended for the exclusive use of the party or 
parties to whom it is addressed and may contain information that is proprietary, privileged, confidential and/or exempt 
from disclosure under applicable law. If you are not an intended recipient, you are hereby notified that any viewing, 
copying, disclosure or distribution of this information may be subject to legal restriction or sanction. Please notify 
the sender immediately and delete the original message without making any copies. Copyright in this email and any 
attachments belong to Spectrum Geo Limited.
We cannot guarantee the security or confidentiality of email communications. We do not accept any liability for losses 
or damages that you may suffer as a result of your receipt of this email.
Email communication with Spectrum Geo Ltd., may be monitored as permitted by UK legislation.
Spectrum Geo Limited, is a limited company registered in England and Wales. Registered number: 1979422. Registered 
office: 95 Aldwych, London WC2B 4JF.

------------------------------------------------------------------------------
Slashdot TV.  
Video for Nerds.  Stuff that matters.
http://tv.slashdot.org/

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Current thread:

Re: configuring rules, (continued)
- Re: configuring rules Joel Esler (jesler) (Sep 02)
  - Re: configuring rules Sharif Uddin (Sep 02)
    - Re: configuring rules Joel Esler (jesler) (Sep 02)
    - Re: configuring rules Sharif Uddin (Sep 02)
    - Re: configuring rules Joel Esler (jesler) (Sep 02)
    - Re: configuring rules Sharif Uddin (Sep 03)
    - Re: configuring rules Y M (Sep 03)
    - Re: configuring rules Joel Esler (Sep 03)
    - Re: configuring rules Joel Esler (Sep 03)
    - Re: configuring rules Sharif Uddin (Sep 03)
    - Re: configuring rules Sharif Uddin (Sep 04)