Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Re: [Snort-users] How to activate all rules using PulledPork?

165 views
Skip to first unread message

SnortFan

unread,
Feb 20, 2014, 7:28:40 PM2/20/14
to
If your talking about all those commented out rules that pulled pork leaves in the snort.rules file, try adding the snort rules categories in the enablesid file.  

If you need a list of the categories, their names are in the snort.rules file or I can find it in one of my emails to the forum.

Cheers,
Ed

Sent from a mobile device. 

On Feb 20, 2014, at 2:14 PM, "Michael Steele" <mich...@winsnort.com> wrote:

I've been trying to get PulledPork to enable all rules, and so far all help has stalled in the PulledPork Google Groups.

 

I'm told by JJ that it is possible, and he has instructed me to add add <PCRE wildcard "."> (everything between the <>) to the enablesid.conf, and all the alerts would be activated.

 

I’m having no problems processing rules any one of the three IP_Policy settings

 

Hopefully someone has a solution to this?

 

Here is my pulledpork.conf:

 

# Config file for pulledpork

rule_url=https://www.snort.org/reg-rules/|snortrules-snapshot.tar.gz|<REDACTED>

rule_url=https://s3.amazonaws.com/snort-org/www/rules/community/|community-rules.tar.gz|Community

rule_url=http://labs.snort.org/feeds/ip-filter.blf|IPBLACKLIST|open

rule_url=https://www.snort.org/reg-rules/|opensource.gz|<REDACTED>

temp_path=d:\winids\pulledpork\temp

rule_path=d:\winids\snort\rules\winids.rules

local_rules=d:\winids\snort\rules\local.rules

sid_msg=d:\winids\snort\etc\sid-msg.map

sid_msg_version=1

sid_changelog=d:\winids\snort\log\sid_changes.log

sorule_path=/usr/local/lib/snort_dynamicrules/

snort_path=/usr/local/bin/snort

config_path=/usr/local/etc/snort/snort.conf

distro=FreeBSD-8.1

docs=d:\winids\Apache24\htdocs\base\signatures\

snort_version=2.9.5.6

enablesid=d:\winids\pulledpork\etc\enablesid.conf

dropsid=d:\winids\pulledpork\etc\dropsid.conf

disablesid=d:\winids\pulledpork\etc\disablesid.conf

modifysid=d:\winids\pulledpork\etc\modifysid.conf

ips_policy=security

version=0.7.0

 

 

Here is my enablesid.conf:

 

# example enablesid.conf v3.1

PCRE wildcard "."

 

Here is my run line:

 

pulledpork.pl -c d:\winids\pulledpork\etc\pulledpork.conf -vT

 

TIA...

Michael...

------------------------------------------------------------------------------
Managing the Performance of Cloud-Based Applications
Take advantage of what the Cloud has to offer - Avoid Common Pitfalls.
Read the Whitepaper.
http://pubads.g.doubleclick.net/gampad/clk?id=121054471&iu=/4140/ostg.clktrk
_______________________________________________
Snort-users mailing list
Snort...@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

SnortFan

unread,
Feb 24, 2014, 12:46:43 PM2/24/14
to
Hi Michael,  
    You can have the file sit there if you'd like, you just have to have the reference uncommented and correctly defined in your pulledpork.conf. 

Here is my list:


app-detect
blacklist
browser-chrome
browser-firefox
browser-ie
browser-other
browser-plugins
browser-webkit
content-replace
decoder
dos
exploit-kit
file-executable
file-flash
file-identify
file-image
file-java
file-multimedia
file-office
file-other
file-pdf
indicator-compromise
indicator-obfuscation
indicator-scan
indicator-shellcode
malware-backdoor
malware-cnc
malware-other
malware-tools
netbios
os-linux
os-mobile
os-other
os-solaris
os-windows
policy-multimedia
policy-other
policy-social
policy-spam
preprocessor
protocol-dns
protocol-finger
protocol-ftp
protocol-icmp
protocol-imap
protocol-nntp
protocol-pop
protocol-rpc
protocol-scada
protocol-services
protocol-snmp
protocol-telnet
protocol-tftp
protocol-voip
pua-adware
pua-other
pua-p2p
pua-toolbars
server-apache
server-iis
server-mail
server-mssql
server-mysql
server-oracle
server-other
server-samba
server-webapp
sql
x11


If you want you can disable by placing a # in front of any line. So #x11 would disable pulledpork from enabling the x11 rules. 

Note:  the category is not the same a class type.  I've seen multiple class types lumped into a catagory. 

Before you add them and do a pull, do a line count of uncommented lines in your snort.rules file. Then do the same after. 

Enjoy,
Ed 

Sent from a mobile device. 

On Feb 23, 2014, at 8:11 PM, "Michael Steele" <mich...@winsnort.com> wrote:

All I do is add the attached enablesid.conf to the pulledpork/etc folder?

 

Is the list correct format?

 

Michael...

<enablesid.conf>
0 new messages