Snort mailing list archives
Re: Modifying Rules Works One Direction, but Not T'Other
From: Doug Burks <doug.burks () gmail com>
Date: Sat, 29 Nov 2014 14:58:38 -0500
Replies inline. On Sat, Nov 29, 2014 at 2:51 PM, colony.three <colony.three () protonmail ch> wrote:
On Sat, Nov 29, 2014 at 2:09 PM, colony.three wrote:I've found that the current SecurityOnion has some serious problems. It does not even -define-: EXTERNAL_NET HOME_NET HTTP_PORTS ... for some reason.Security Onion does indeed define those variables. Are you sureyou're looking at the right file? Are you sure you ran through Setup properly? Are you sure you followed our Installation guide? https://code.google.com/p/security-onion/wiki/Installation I set it up in accord with the page you reference, and your videos, which are very helpful. I know these are not defined because of the weird behavior I was getting in modifying rules, and by inserting in rule-update many instances of: echo EXTERNAL_NET=$EXTERNAL_NET echo HOME_NET=$HOME_NET echo HTTP_PORTS=$HTTP_PORTS ... all blank.
These variables are not defined in the bash environment and that's why your tests are showing up blank. These variables are defined in your snort.conf file. Please see /etc/nsm/HOSTNAME-INTERFACE/snort.conf.
And these are mandatory for the GPL Emerging Threats rules. I can't report the problems because SO requires G**gle Groups, and I'm not signing up for that.Any particular reason why? You could always create a Google accountjust for Google Groups. I've never trusted G**gle for anything, anyway, anyhow. It's the greatest data-mining operation in the history of the world, and the masses blithely hand over all their searches (which tell much about them), their contacts, their networks of friends and coworkers, and their very locations at all times as well as voice phone calls. Apple is no better. Someday people will start to realize that their life history follows them -forever-... like the proverbial 'school permanent record'. Times they were bullied, all the stupid things they've said and written, will be accessible to every future employer, romantic engagement, neighbors, rivals, and police when the definition of 'what is wrong' changes. Think it's not accessible? I've seen it. I just don't use G**gle.
You should also be able to use our Google Group as a standard mailing list just like this Snort mailing list. Send email to security-onion () googlegroups com from your existing non-Google email account you're using here. You'll receive replies at the same non-Google email account. At that point, it's really no different than using this Snort mailing list.
Further, it's looking like the GPL Emerging Threats rules may not be well-written, which are installed by SecurityOnion. What is going on with that?Security Onion allows you to choose Sourcefire VRT or Emerging Threats.I need to somehow research the rulesets that are available. I'm getting a clear implication from a Snort developer that the ET rulebase is poorly written. Trying to get more info now.
Again, Security Onion allows you to choose either Sourcefire VRT or Emerging Threats. It's your choice. -- Doug Burks Need Security Onion Training or Commercial Support? http://securityonionsolutions.com Last day to register for 3-Day Training Class in Augusta GA is 12/11! ------------------------------------------------------------------------------ Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server from Actuate! Instantly Supercharge Your Business Reports and Dashboards with Interactivity, Sharing, Native Excel Exports, App Integration & more Get technology previously reserved for billion-dollar corporations, FREE http://pubads.g.doubleclick.net/gampad/clk?id=157005751&iu=/4140/ostg.clktrk _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Re: Modifying Rules Works One Direction, but Not T'Other colony.three (Nov 27)
- <Possible follow-ups>
- Re: Modifying Rules Works One Direction, but Not T'Other colony.three (Nov 27)
- Re: Modifying Rules Works One Direction, but Not T'Other colony.three (Nov 29)
- Re: Modifying Rules Works One Direction, but Not T'Other Joel Esler (jesler) (Nov 29)
- Re: Modifying Rules Works One Direction, but Not T'Other Doug Burks (Nov 29)
- Re: Modifying Rules Works One Direction, but Not T'Other colony.three (Nov 29)
- Re: Modifying Rules Works One Direction, but Not T'Other Doug Burks (Nov 29)
- Re: Modifying Rules Works One Direction, but Not T'Other colony.three (Nov 29)
- Re: Modifying Rules Works One Direction, but Not T'Other Doug Burks (Nov 29)
- Re: Modifying Rules Works One Direction, but Not T'Other colony.three (Nov 29)
- Re: Modifying Rules Works One Direction, but Not T'Other Doug Burks (Nov 29)
- Re: Modifying Rules Works One Direction, but Not T'Other colony.three (Nov 29)
- Re: Modifying Rules Works One Direction, but Not T'Other Doug Burks (Nov 29)
- Re: Modifying Rules Works One Direction, but Not T'Other colony.three (Nov 29)
- Re: Modifying Rules Works One Direction, but Not T'Other Joel Esler (jesler) (Nov 29)
- Re: Modifying Rules Works One Direction, but Not T'Other colony.three (Nov 29)
- Re: Modifying Rules Works One Direction, but Not T'Other Doug Burks (Nov 30)
(Thread continues...)