Re: Snort-users Digest, Vol 122, Issue 42

[fatema bannatwala <fatema.bannatwala () gmail com>]

Hi LP,

You could use snort.conf file and disable the rules you do not want snort
to load while it starts.
We also had to disable some pre-proc rules and using the snort.conf file to
disable them:
For Ex, in snort.conf comment out the rule set you don't want:

$ less snort.conf
...........
#include $RULE_PATH/VRT-preprocessor.rules
# decoder and preprocessor event rules
# include $PREPROC_RULE_PATH/preprocessor.rules
# include $PREPROC_RULE_PATH/decoder.rules
# include $PREPROC_RULE_PATH/sensitive-data.rules
.............

Hope this helps.

Thanks,
Fatema.


On Fri, Jul 29, 2016 at 3:37 PM, <snort-users-request () lists sourceforge net>
wrote:

> Send Snort-users mailing list submissions to
>         snort-users () lists sourceforge net
>
> To subscribe or unsubscribe via the World Wide Web, visit
>         https://lists.sourceforge.net/lists/listinfo/snort-users
> or, via email, send a message with subject or body 'help' to
>         snort-users-request () lists sourceforge net
>
> You can reach the person managing the list at
>         snort-users-owner () lists sourceforge net
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Snort-users digest..."
>
>
> When responding, please don't respond with the entire Digest.  Please trim
> your response.
>
> Today's Topics:
>
>    1. Disabling Preprocessor/Decoder rules (Lauren Proehl)
>    2. R:  Catch rate testing with VRT free ruleset (Romagnoli Andrea)
>    3. Determining remote proxy servers using snort. (fatema bannatwala)
>    4. Re: Pulledpork does not apply policies to Snort   registered
>       rules (Michael Steele)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Fri, 29 Jul 2016 14:35:08 +0000
> From: Lauren Proehl <lauren.proehl () unitedlex com>
> Subject: [Snort-users] Disabling Preprocessor/Decoder rules
> To: snort-users mailinglist <snort-users () lists sourceforge net>
> Message-ID: <D3C0D3CB.9259%lauren.proehl () unitedlex com>
> Content-Type: text/plain; charset="windows-1252"
>
> Snort Users,
>
> Wondering if you all can help me. A new analyst accidentally enabled
> preproc rules last night and couldn?t figure out how to turn them off. I
> managed to edit the pulledpork conf and stop them from downloading, but
> wondering if there is a way to fine tune these rules better, i.e.
> Disablesid.conf snort.conf or threshold.conf.
>
> (Rule Ex: stream5: TCP Timestamp is missing)
>
>
> Regards,
>
> LP
> -------------- next part --------------
> An HTML attachment was scrubbed...
>
> ------------------------------
>
> Message: 2
> Date: Fri, 29 Jul 2016 15:56:57 +0000
> From: Romagnoli Andrea <andrea.romagnoli () it telecomitalia it>
> Subject: [Snort-users] R:  Catch rate testing with VRT free ruleset
> To: "Joel Esler (jesler)" <jesler () cisco com>
> Cc: "snort-users () lists sourceforge net"
>         <snort-users () lists sourceforge net>
> Message-ID:
>
> <ca58c8fd9d2b4f0281770da95cc41ecb@TELMBXD07BA020.telecomitalia.local>
> Content-Type: text/plain; charset="iso-8859-1"
>
> Hi Joel,
> Thank you for your feedback! At the moment we are running all VRT free
> rules and we are not dropping any packets due to high traffic rate (or
> other reasons). Which preprocessor configuration could cause this effect?
> We are using default conf file, except for stream5_global variable (we
> added memcap and increased TCP/UDP max connections), setting HOME_NET, daq
> PF_RING variables and some secondary parameters like rules directory
> location, ip reputation lists location, so on and so forth. I can share the
> conf if could be helpful.
>
> Thank you
> Best regards,
> Andrea
>
> -----Messaggio originale-----
> Da: Joel Esler (jesler) [mailto:jesler () cisco com]
> Inviato: venerd? 29 luglio 2016 00:39
> A: Romagnoli Andrea
> Cc: snort-users () lists sourceforge net
> Oggetto: Re: [Snort-users] Catch rate testing with VRT free ruleset
>
> This could depend on configuration of your preprocessors, and what rules
> you are running, as well as how many packets you are dropping.  Our catch
> rate for Breaking Point is much much higher.
>
>
> > On Jul 28, 2016, at 11:56 AM, Andrea Romagnoli <
> andrea.romagnoli () it telecomitalia it> wrote:
> > Hello everyone. We installed Snort 2.9.8.3 (Build 383) with PF_RING on
> > a server with 2 Xeon CPU, 256GB RAM and Ubuntu 14.04.1: our aim is to
> > test Snort in IPS inline mode using IXIA's Breaking Point (traffic
> > generator) We are doing a catch rate testing using updated VRT Free
> > ruleset. Trying hundreds attacks ordered by year (from 2008 to 2015)
> > we reached a catch rate of approximately ~45% (lower: 34.83% with 2008
> attacks, higher:
> > 47.08% with 2015 attacks).
> > In our testbed we enabled all rulesets and we put them in "reject" mode.
> > Do you think that those results are reasonable for a free ruleset such
> > as VRT Free, or we could do a bit more? What results we could expect
> > with VRT Pro?
> >
> > Best regards,
> > Andrea
> >
> > ----------------------------------------------------------------------
> > -------- _______________________________________________
> > Snort-users mailing list
> > Snort-users () lists sourceforge net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> >
> > Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
>
>
>
>
> ------------------------------
>
> Message: 3
> Date: Fri, 29 Jul 2016 14:18:44 -0400
> From: fatema bannatwala <fatema.bannatwala () gmail com>
> Subject: [Snort-users] Determining remote proxy servers using snort.
> To: snort-users () lists sourceforge net
> Message-ID:
>         <
> CACX0rUTeLvmdfwfjPrxihiHdZoS2CXRw93Du9AC8Xwsaxo-QDw () mail gmail com>
> Content-Type: text/plain; charset="utf-8"
>
> Hi,
>
> Recently we have seen an uptick in use of proxy servers to login to the
> accounts from people living in China. And since the connection appears to
> come from US based IP address (probably a proxy) they go un-flagged by the
> IDS/IPS devices, as they see normal logins from United States IP addresses.
> So my question is, is there a way to determine that the incoming connection
> from an IP is actually a proxy server's IP, by looking at some unique
> patterns in data collected by IDS/IPS devices? and if so can we do it using
> snort?
>
> Thanks,
> Fatema.
> -------------- next part --------------
> An HTML attachment was scrubbed...
>
> ------------------------------
>
> Message: 4
> Date: Fri, 29 Jul 2016 15:24:23 -0400
> From: "Michael Steele" <michaels () winsnort com>
> Subject: Re: [Snort-users] Pulledpork does not apply policies to Snort
>         registered rules
> To: "'Shirkdog'" <shirkdog () gmail com>,  "'Joel Esler \(jesler\)'"
>         <jesler () cisco com>
> Cc: 'snort-users mailinglist' <snort-users () lists sourceforge net>,
>         "'Asad, Hafiz ul'" <Hafiz-ul.Asad () city ac uk>
> Message-ID: <001801d1e9ce$d11cb7b0$73562710$@winsnort.com>
> Content-Type: text/plain; charset="utf-8"
>
> Snort will display the number of enabled rules. If the priority is changed
> in PulledPork the number of active rules will change.
>
>
>
> Kindest regards,
>
> Michael...
>
>
>
> WINSNORT.com Management Team Member
>
> --
>
> ****************** Established ~ 2001 *******************
>
> *          Visit Us @  <http://www.winsnort.com> http://www.winsnort.com
>          *
>
> *      ~~ FREE WinIDS Snort installation guides ~~      *
>
> *               ~~ FREE support forums ~~               *
>
> * Snort: Open Source Network IDS -  <http://www.snort.org>
> http://www.snort.org *
>
> *********************************************************
>
>
>
> From: Shirkdog [mailto:shirkdog () gmail com]
> Sent: Friday, July 29, 2016 10:13 AM
> To: Joel Esler (jesler) <jesler () cisco com>
> Cc: Asad, Hafiz ul <Hafiz-ul.Asad () city ac uk>; snort-users mailinglist <
> snort-users () lists sourceforge net>
> Subject: Re: [Snort-users] Pulledpork does not apply policies to Snort
> registered rules
>
>
>
> I was about to reply to this, as I thought Joel had brought this up as a
> feature before.
>
> If it does not exist as an issue, please add it as a feature request.
>
>
>
> On Jul 29, 2016 10:11 AM, "Joel Esler (jesler)" <jesler () cisco com <mailto:
> jesler () cisco com> > wrote:
>
> Interesting.  Have you filled an issue with pulledpork on the github for
> the project?
>
>
>
> Shirkdog may not be monitoring this list all the time.
>
>
>
>
>
> On Jul 29, 2016, at 8:06 AM, Asad, Hafiz ul <Hafiz-ul.Asad () city ac uk
> <mailto:Hafiz-ul.Asad () city ac uk> > wrote:
>
>
>
> Snort Users,
>
>
>
> I have been trying to compare results of different snort rules with
> different policies; Connectivity;Security;Balanced;No-policy. While setting
> these for downloading different community rules using Pulledpork, I was
> able to download different sets of rules for each policy.However, I have
> noticed, that setting up different policies in the "pulledpork.conf" file
> does not have any effect on the downloaded rules for "Snort Registered"
> Rule set (Every time the downloaded rules remain the same no matter what
> policy is set in the file). Is there any explanation for this from the
> Pulledpork point of view?
>
>
>
> Cheers,
>
> Asad
>
>
>
> Hafiz ul Asad
>
> Research Assistant
>
> Center for Software Reliability
>
> School of Mathematics,  Computer Science & Engineering
>
> City University London, EC1V 0HB London
>
> Tel : +44 (0) 20 7040 8422 <tel:%2B44%20%280%29%2020%207040%208422>
>
>
> ------------------------------------------------------------------------------
> _______________________________________________
> Snort-users mailing list
>  <mailto:Snort-users () lists sourceforge net>
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
>  <https://lists.sourceforge.net/lists/listinfo/snort-users>
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
>  <http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users>
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit  <http://blog.snort.org/> http://blog.snort.org to stay
> current on all the latest Snort news!
>
>
>
>
>
> ------------------------------------------------------------------------------
>
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net <mailto:
> Snort-users () lists sourceforge net>
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
>
> -------------- next part --------------
> An HTML attachment was scrubbed...
>
> ------------------------------
>
>
> ------------------------------------------------------------------------------
>
>
> ------------------------------
>
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> https://lists.sourceforge.net/lists/listinfo/snort-users
>
>
> End of Snort-users Digest, Vol 122, Issue 42
> ********************************************
------------------------------------------------------------------------------

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!