Re: Modifying Rules Works One Direction, but Not T'Other

[Doug Burks <doug.burks () gmail com>]

Replies inline.

On Sat, Nov 29, 2014 at 2:51 PM, colony.three
<colony.three () protonmail ch> wrote:
> On Sat, Nov 29, 2014 at 2:09 PM, colony.three
> wrote:
> > > I've found that the current SecurityOnion has some serious problems. It
> > > does not even -define-:
> > > EXTERNAL_NET
> > > HOME_NET
> > > HTTP_PORTS
> > > ... for some reason.
>
> > Security Onion does indeed define those variables. Are you sure
> you're looking at the right file? Are you sure you ran through Setup
> properly? Are you sure you followed our Installation guide?
> https://code.google.com/p/security-onion/wiki/Installation
>
> I set it up in accord with the page you reference, and your videos, which
> are very helpful.
>
> I know these are not defined because of the weird behavior I was getting in
> modifying rules, and by inserting in rule-update many instances of:
> echo EXTERNAL_NET=$EXTERNAL_NET
> echo HOME_NET=$HOME_NET
> echo HTTP_PORTS=$HTTP_PORTS
>
> ... all blank.

These variables are not defined in the bash environment and that's why
your tests are showing up blank.  These variables are defined in your
snort.conf file.  Please see /etc/nsm/HOSTNAME-INTERFACE/snort.conf.

> > > And these are mandatory for the GPL Emerging Threats
> > > rules.
> > >
> > > I can't report the problems because SO requires G**gle Groups, and I'm
> > > not
> > > signing up for that.
>
> > Any particular reason why? You could always create a Google account
> just for Google Groups.
>
> I've never trusted G**gle for anything, anyway, anyhow.  It's the greatest
> data-mining operation in the history of the world, and the masses blithely
> hand over all their searches (which tell much about them), their contacts,
> their networks of friends and coworkers, and their very locations at all
> times as well as voice phone calls.  Apple is no better.  Someday people
> will start to realize that their life history follows them -forever-... like
> the proverbial 'school permanent record'.  Times they were bullied, all the
> stupid things they've said and written, will be accessible to every future
> employer, romantic engagement, neighbors, rivals, and police when the
> definition of 'what is wrong' changes.  Think it's not accessible?  I've
> seen it.
>
> I just don't use G**gle.

You should also be able to use our Google Group as a standard mailing
list just like this Snort mailing list.  Send email to
security-onion () googlegroups com from your existing non-Google email
account you're using here.  You'll receive replies at the same
non-Google email account.  At that point, it's really no different
than using this Snort mailing list.

> > > Further, it's looking like the GPL Emerging Threats rules may not be
> > > well-written, which are installed by SecurityOnion.
> > > What is going on with that?
>
> > Security Onion allows you to choose Sourcefire VRT or Emerging Threats.
>
> I need to somehow research the rulesets that are available.  I'm getting a
> clear implication from a Snort developer that the ET rulebase is poorly
> written.  Trying to get more info now.

Again, Security Onion allows you to choose either Sourcefire VRT or
Emerging Threats.  It's your choice.

-- 
Doug Burks
Need Security Onion Training or Commercial Support?
http://securityonionsolutions.com
Last day to register for 3-Day Training Class in Augusta GA is 12/11!

------------------------------------------------------------------------------
Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
from Actuate! Instantly Supercharge Your Business Reports and Dashboards
with Interactivity, Sharing, Native Excel Exports, App Integration & more
Get technology previously reserved for billion-dollar corporations, FREE
http://pubads.g.doubleclick.net/gampad/clk?id=157005751&iu=/4140/ostg.clktrk
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!