Snort mailing list archives
Re: querying www.snort.org/rule_docs/{REV}-{SID}
From: wkitty42--- via Snort-users <snort-users () lists snort org>
Date: Mon, 21 Jan 2019 06:50:34 -0500
On 1/21/19 6:05 AM, koppfabi wrote:
i would like to query https://www.snort.org/rule_docs/{REV}-{SID} for meta-information about all the rules, in order to decide if the rule shouldbe turned on or off in an environment.
isn't this meta data already available in the rules, themselves? eg:alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET POLICY Incoming Basic Auth Base64 HTTP Password detected unencrypted"; flow:established,to_server; content:"Authorization|3a 20|Basic"; nocase; http_header; content:!"YW5vbnltb3VzOg=="; within:32; http_header; threshold: type both, count 1, seconds 300, track by_src; reference:url,doc.emergingthreats.net/bin/view/Main/2006402; classtype:policy-violation; sid:2006402; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
so in the above, we have: - the MSG that states what the rule looks for - the rule's flow direction, origin and destination - content that the rule is looking for- this rule is thresholded looking for one connection from the same source every five minutes
- the rule's reference url - the rule's classification - the rule's SID and revision - meta data stating when the rule was created and last updatedother than what might happen to be written up at the given URL, what else are we looking for?
so, if this is everything being sought, it is all the available information after all, then scanning the rules locally would probably be more of what you want to do...
--
NOTE: No off-list assistance is given without prior approval.
*Please keep mailing list traffic on the list unless*
*a signed and pre-paid contract is in effect with us.*
_______________________________________________
Snort-users mailing list
Snort-users () lists snort org
Go to this URL to change user options or unsubscribe:
https://lists.snort.org/mailman/listinfo/snort-users
To unsubscribe, send an email to:
snort-users-leave () lists snort org
Please visit http://blog.snort.org to stay current on all the latest Snort news!
Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette
Current thread:
- querying www.snort.org/rule_docs/{REV}-{SID} koppfabi (Jan 21)
- Re: querying www.snort.org/rule_docs/{REV}-{SID} wkitty42--- via Snort-users (Jan 21)
- Re: querying www.snort.org/rule_docs/{REV}-{SID} Joel Esler (jesler) via Snort-users (Jan 21)