Enabling all default Snort Rules
613 views
Skip to first unread message
Mike Connors
Jun 24, 2015, 12:47:49 PM6/24/15
to securit...@googlegroups.com
Hello all,
I am testing some of the sample pcaps that are included in /opt/samples. One of the samples... (Ip-fragment-attack.pcap) does not generate an alert with the emerging threats GPL rule set I have installed.
I have tried to sort through the etc/nsm/rules/downloaded.rules file but it is a lot of information. Is there an easier way to enable all rules?
I want to be able to disable the ones I choose after seeing all possible rules generated.
After doing a quick rule-update I see that there are:
17229 enabled rules
3891 disabled rules
21120 total rules
Thank you in advance for your time.
Best regards,
Mike
CB
Jun 24, 2015, 3:32:54 PM6/24/15
to securit...@googlegroups.com
Good question Mike - Rule management seems very primitive i thought there must be a web/GUI interface to the rule management aspect.
/CB
Doug Burks
Jun 24, 2015, 4:59:49 PM6/24/15
to securit...@googlegroups.com
Hi Mike,
Since every IDS rule should contain the word "alert", you should be
able to enable all rules using something like the following in
/etc/nsm/pulledpork/enablesid.conf:
pcre:alert
> --
> You received this message because you are subscribed to the Google Groups "security-onion" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
> To post to this group, send email to securit...@googlegroups.com.
> Visit this group at http://groups.google.com/group/security-onion.
> For more options, visit https://groups.google.com/d/optout.
--
Doug Burks
Need Security Onion Training or Commercial Support?
http://securityonionsolutions.com
Since every IDS rule should contain the word "alert", you should be
able to enable all rules using something like the following in
/etc/nsm/pulledpork/enablesid.conf:
pcre:alert
> You received this message because you are subscribed to the Google Groups "security-onion" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
> To post to this group, send email to securit...@googlegroups.com.
> Visit this group at http://groups.google.com/group/security-onion.
> For more options, visit https://groups.google.com/d/optout.
--
Doug Burks
Need Security Onion Training or Commercial Support?
http://securityonionsolutions.com
Doug Burks
Jun 24, 2015, 5:00:11 PM6/24/15
to securit...@googlegroups.com
On Wed, Jun 24, 2015 at 3:32 PM, CB <cr...@advancedcybersecurity.co.uk> wrote:
> Good question Mike - Rule management seems very primitive i thought there must be a web/GUI interface to the rule management aspect.
Hi CB,
> Good question Mike - Rule management seems very primitive i thought there must be a web/GUI interface to the rule management aspect.
Patches are always welcome! ;)
CB
Jun 24, 2015, 5:06:20 PM6/24/15
to securit...@googlegroups.com
I don't think this is a limitation of SO, but with Snort being available for nearly 20 years and so widely used as a standalone product and integrated in many platforms i thought somebody would have created a project around this.
/CB
Doug Burks
Jun 24, 2015, 5:25:17 PM6/24/15
to securit...@googlegroups.com
On Wed, Jun 24, 2015 at 5:06 PM, CB <cr...@advancedcybersecurity.co.uk> wrote:
> I don't think this is a limitation of SO, but with Snort being available for nearly 20 years and so widely used as a standalone product and integrated in many platforms i thought somebody would have created a project around this.
That somebody could be you! ;)
> I don't think this is a limitation of SO, but with Snort being available for nearly 20 years and so widely used as a standalone product and integrated in many platforms i thought somebody would have created a project around this.
Mike Connors
Jun 24, 2015, 5:40:30 PM6/24/15
to securit...@googlegroups.com
Thank you for your answers gentlemen.
-Mike
Sent from my iPhone
> --
> You received this message because you are subscribed to a topic in the Google Groups "security-onion" group.
> To unsubscribe from this topic, visit https://groups.google.com/d/topic/security-onion/lF0RAgqyGDQ/unsubscribe.
> To unsubscribe from this group and all its topics, send an email to security-onio...@googlegroups.com.
-Mike
Sent from my iPhone
> You received this message because you are subscribed to a topic in the Google Groups "security-onion" group.
> To unsubscribe from this topic, visit https://groups.google.com/d/topic/security-onion/lF0RAgqyGDQ/unsubscribe.
> To unsubscribe from this group and all its topics, send an email to security-onio...@googlegroups.com.
Doug Burks
Jun 24, 2015, 10:46:24 PM6/24/15
to securit...@googlegroups.com
I should re-emphasize here that enabling all rules should only be done
temporarily. Long term you should only run the rules necessary for
your environment.
temporarily. Long term you should only run the rules necessary for
your environment.
Mike Connors
Jun 25, 2015, 7:34:45 AM6/25/15
to securit...@googlegroups.com
Thank you Doug,
Absolutely. I am just trying to get a handle on which alerts are relevant to my application.
In your opinion what are the benefits of using the emerging threats PRO, or snort VRT ruleset over GPL?
Thank you once again for your time.
Beat regards,
> You received this message because you are subscribed to a topic in the Google Groups "security-onion" group.
> To unsubscribe from this topic, visit https://groups.google.com/d/topic/security-onion/lF0RAgqyGDQ/unsubscribe.
> To unsubscribe from this group and all its topics, send an email to security-onio...@googlegroups.com.
Absolutely. I am just trying to get a handle on which alerts are relevant to my application.
In your opinion what are the benefits of using the emerging threats PRO, or snort VRT ruleset over GPL?
Thank you once again for your time.
Beat regards,
Mike
Sent from my iPhone
Sent from my iPhone
> To unsubscribe from this topic, visit https://groups.google.com/d/topic/security-onion/lF0RAgqyGDQ/unsubscribe.
> To unsubscribe from this group and all its topics, send an email to security-onio...@googlegroups.com.
Doug Burks
Jun 25, 2015, 7:37:07 AM6/25/15
to securit...@googlegroups.com
On Thu, Jun 25, 2015 at 7:34 AM, Mike Connors <mikekc...@gmail.com> wrote:
> In your opinion what are the benefits of using the emerging threats PRO, or snort VRT ruleset over GPL?
You should try them in your environment to see which provides best
> In your opinion what are the benefits of using the emerging threats PRO, or snort VRT ruleset over GPL?
coverage for your environment.
Mike Connors
Jun 25, 2015, 9:11:49 AM6/25/15
to securit...@googlegroups.com
That make sense. As I am unaware of some of the threats that may be lurking, I am unsure what the best ruleset is for my situation.
Is there any documentation to review the pros and cons of GPL vs PRO?
I have added pcre:alert to the enable pulled pork config file is there an equal but opposite command I can run in the disable file (to turn on any disabled alerts) ? My rule-update summary still shows 1185 disabled rules...
Thanks again!
Sent from my iPhone
Is there any documentation to review the pros and cons of GPL vs PRO?
I have added pcre:alert to the enable pulled pork config file is there an equal but opposite command I can run in the disable file (to turn on any disabled alerts) ? My rule-update summary still shows 1185 disabled rules...
Thanks again!
Sent from my iPhone
Doug Burks
Jun 25, 2015, 11:47:23 PM6/25/15
to securit...@googlegroups.com
Replies inline.
On Thu, Jun 25, 2015 at 9:11 AM, Mike Connors <mikekc...@gmail.com> wrote:
> That make sense. As I am unaware of some of the threats that may be lurking, I am unsure what the best ruleset is for my situation.
> Is there any documentation to review the pros and cons of GPL vs PRO?
I would imagine that the PRO sales representatives might be able to
provide you this kind of information.
> I have added pcre:alert to the enable pulled pork config file is there an equal but opposite command I can run in the disable file (to turn on any disabled alerts) ? My rule-update summary still shows 1185 disabled rules...
Are you looking at the rule-update summary from sostat? That may only
be showing the last run of the cron job, which may have been from
before you added pcre:alert to enablesid.conf.
>
> Thanks again!
>
> Sent from my iPhone
>
>> On Jun 25, 2015, at 7:37 AM, Doug Burks <doug....@gmail.com> wrote:
>>
>>> On Thu, Jun 25, 2015 at 7:34 AM, Mike Connors <mikekc...@gmail.com> wrote:
>>> In your opinion what are the benefits of using the emerging threats PRO, or snort VRT ruleset over GPL?
>>
>> You should try them in your environment to see which provides best
>> coverage for your environment.
>>
>>
>> --
>> Doug Burks
>> Need Security Onion Training or Commercial Support?
>> http://securityonionsolutions.com
>>
>> --
>> You received this message because you are subscribed to a topic in the Google Groups "security-onion" group.
>> To unsubscribe from this topic, visit https://groups.google.com/d/topic/security-onion/lF0RAgqyGDQ/unsubscribe.
>> To unsubscribe from this group and all its topics, send an email to security-onio...@googlegroups.com.
>> To post to this group, send email to securit...@googlegroups.com.
>> Visit this group at http://groups.google.com/group/security-onion.
>> For more options, visit https://groups.google.com/d/optout.
>
> --
On Thu, Jun 25, 2015 at 9:11 AM, Mike Connors <mikekc...@gmail.com> wrote:
> That make sense. As I am unaware of some of the threats that may be lurking, I am unsure what the best ruleset is for my situation.
> Is there any documentation to review the pros and cons of GPL vs PRO?
provide you this kind of information.
> I have added pcre:alert to the enable pulled pork config file is there an equal but opposite command I can run in the disable file (to turn on any disabled alerts) ? My rule-update summary still shows 1185 disabled rules...
be showing the last run of the cron job, which may have been from
before you added pcre:alert to enablesid.conf.
>
> Thanks again!
>
> Sent from my iPhone
>
>> On Jun 25, 2015, at 7:37 AM, Doug Burks <doug....@gmail.com> wrote:
>>
>>> On Thu, Jun 25, 2015 at 7:34 AM, Mike Connors <mikekc...@gmail.com> wrote:
>>> In your opinion what are the benefits of using the emerging threats PRO, or snort VRT ruleset over GPL?
>>
>> You should try them in your environment to see which provides best
>> coverage for your environment.
>>
>>
>> --
>> Doug Burks
>> Need Security Onion Training or Commercial Support?
>> http://securityonionsolutions.com
>>
>> --
>> You received this message because you are subscribed to a topic in the Google Groups "security-onion" group.
>> To unsubscribe from this topic, visit https://groups.google.com/d/topic/security-onion/lF0RAgqyGDQ/unsubscribe.
>> To unsubscribe from this group and all its topics, send an email to security-onio...@googlegroups.com.
>> To post to this group, send email to securit...@googlegroups.com.
>> Visit this group at http://groups.google.com/group/security-onion.
>> For more options, visit https://groups.google.com/d/optout.
>
> --
> You received this message because you are subscribed to the Google Groups "security-onion" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
> To post to this group, send email to securit...@googlegroups.com.
> Visit this group at http://groups.google.com/group/security-onion.
> For more options, visit https://groups.google.com/d/optout.
> Visit this group at http://groups.google.com/group/security-onion.
> For more options, visit https://groups.google.com/d/optout.
Reply all
Reply to author
Forward
0 new messages