Best way to find out enable/disable status of a rule
72 views
Skip to first unread message
Ricky Huang
Mar 13, 2013, 1:55:56 PM3/13/13
to pulledpo...@googlegroups.com
Hello,
I was looking through snort.rules,and sid-msg.map to get a better sense of what PP generates and noticed that some rules are commented out, for example, 17031 in /usr/local/etc/snort/rules/snort.rules:
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM burnshy.ru known spam email attempt"; flow:to_server, established; content:"burnshy.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:17031; rev:6;)
And it shows up in sid-msg.map without any indication of being commented out:
17031 || POLICY-SPAM burnshy.ru known spam email attempt
Is the assumption that rule is disabled correct? If so, I would like to ask what's the best way to see the list of rules I have available as well as their status (other than browsing the entire snort.rules file).
Thanks!
JJC
Mar 13, 2013, 2:16:30 PM3/13/13
to pulledpo...@googlegroups.com
if it's commented out in /usr/local/etc/snort/rules/snort.rules then
it's disabled... sid-msg.map has nothing to do with rule state.. to
see what is enabled grep through the rules.. grep
'/^(alert|drop|pass)/' /usr/local/etc/snort/rules/snort.rules
There is no simple way to see what all rules are in what state.. the
newer version of PP in svn breaks the rules out by category in the
/usr/local/etc/snort/rules/snort.rules file so that helps but...
JJC
> --
> You received this message because you are subscribed to the Google Groups
> "pulledpork users" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to pulledpork-use...@googlegroups.com.
> To post to this group, send email to pulledpo...@googlegroups.com.
> Visit this group at http://groups.google.com/group/pulledpork-users?hl=en.
> For more options, visit https://groups.google.com/groups/opt_out.
>
>
it's disabled... sid-msg.map has nothing to do with rule state.. to
see what is enabled grep through the rules.. grep
'/^(alert|drop|pass)/' /usr/local/etc/snort/rules/snort.rules
There is no simple way to see what all rules are in what state.. the
newer version of PP in svn breaks the rules out by category in the
/usr/local/etc/snort/rules/snort.rules file so that helps but...
JJC
> You received this message because you are subscribed to the Google Groups
> "pulledpork users" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to pulledpork-use...@googlegroups.com.
> To post to this group, send email to pulledpo...@googlegroups.com.
> Visit this group at http://groups.google.com/group/pulledpork-users?hl=en.
> For more options, visit https://groups.google.com/groups/opt_out.
>
>
Ricky Huang
Mar 13, 2013, 4:58:05 PM3/13/13
to pulledpo...@googlegroups.com
On Mar 13, 2013, at 11:16 AM, JJC <cumm...@gmail.com> wrote:
if it's commented out in /usr/local/etc/snort/rules/snort.rules then
it's disabled…
For whatever the reason I thought snort.rules is compiled together from all of VRT's rules. If so, why do rules come commented out? (Or maybe my assumption on snort.rules was incorrect?)
sid-msg.map has nothing to do with rule state.. to
see what is enabled grep through the rules.. grep
'/^(alert|drop|pass)/' /usr/local/etc/snort/rules/snort.rules
Thanks!
JJC
Mar 14, 2013, 10:06:36 AM3/14/13
to pulledpo...@googlegroups.com
Inline...
On Wed, Mar 13, 2013 at 2:58 PM, Ricky Huang <rhuan...@gmail.com> wrote:
> On Mar 13, 2013, at 11:16 AM, JJC <cumm...@gmail.com> wrote:
>
> if it's commented out in /usr/local/etc/snort/rules/snort.rules then
> it's disabled…
>
>
> For whatever the reason I thought snort.rules is compiled together from all
> of VRT's rules. If so, why do rules come commented out? (Or maybe my
> assumption on snort.rules was incorrect?)
It is... just because it's commented out doesn't mean it's not there,
just that it's not enabled. The idea behind PP is not to enable all
rules, frankly you don't want to do that.. you only want the stuff
that is relevant and current... This is where the base policy stuff
comes in (read connectivity, balanced and security) kind of thing.
JJC
On Wed, Mar 13, 2013 at 2:58 PM, Ricky Huang <rhuan...@gmail.com> wrote:
> On Mar 13, 2013, at 11:16 AM, JJC <cumm...@gmail.com> wrote:
>
> if it's commented out in /usr/local/etc/snort/rules/snort.rules then
> it's disabled…
>
>
> For whatever the reason I thought snort.rules is compiled together from all
> of VRT's rules. If so, why do rules come commented out? (Or maybe my
> assumption on snort.rules was incorrect?)
just that it's not enabled. The idea behind PP is not to enable all
rules, frankly you don't want to do that.. you only want the stuff
that is relevant and current... This is where the base policy stuff
comes in (read connectivity, balanced and security) kind of thing.
JJC
Reply all
Reply to author
Forward
0 new messages