Re: Enabling all the rules for testing using PulledPork?
JJ Cummings
Sent from the iRoad
--Is there a way to easily enable all the rules using PulledPork
Best regards,
Michael Steele
3842 Echo Farms Blvd
Wilmington, NC 28412
Mobile:( 910 ) 431-0285Home:( 910 ) 799-4856
E-mail: mich...@go2dds.com
You received this message because you are subscribed to the Google Groups "pulledpork users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to pulledpork-use...@googlegroups.com.
To post to this group, send email to pulledpo...@googlegroups.com.
Visit this group at http://groups.google.com/group/pulledpork-users.
For more options, visit https://groups.google.com/groups/opt_out.
Michael Steele
Just to be clear I’m going to add the below line to my enabledsid.conf file?
PCRE wildcard "."
Best regards,
Michael...
From: pulledpo...@googlegroups.com [mailto:pulledpo...@googlegroups.com] On Behalf Of JJ Cummings
Sent: Tuesday, September 24, 2013 2:56 PM
To: pulledpo...@googlegroups.com
Cc: <pulledpo...@googlegroups.com>; <snort...@lists.sourceforge.net>
Subject: Re: Enabling all the rules for testing using PulledPork?
PCRE wildcard "." In enablesid
Sent from the iRoad
On Sep 24, 2013, at 11:07, "Michael Steele" <mich...@go2dds.com> wrote:
Is there a way to easily enable all the rules using PulledPork
Best regards,
Michael
--
You received this message because you are subscribed to the Google Groups "pulledpork users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to pulledpork-use...@googlegroups.com.
To post to this group, send email to pulledpo...@googlegroups.com.
Visit this group at http://groups.google.com/group/pulledpork-users.
For more options, visit https://groups.google.com/groups/opt_out.
JJ Cummings
Sent from the iRoad
s/^#\ alert/alert/gI don’t know the pulledpork syntax for it..
------------------------------------------------------------------------------
October Webinars: Code for Performance
Free Intel webinars can help you accelerate application performance.
Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from
the latest Intel processors and coprocessors. See abstracts and register >
http://pubads.g.doubleclick.net/gampad/clk?id=60133471&iu=/4140/ostg.clktrk_______________________________________________
Snort-users mailing list
Snort...@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------
October Webinars: Code for Performance
Free Intel webinars can help you accelerate application performance.
Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from
the latest Intel processors and coprocessors. See abstracts and register >
http://pubads.g.doubleclick.net/gampad/clk?id=60133471&iu=/4140/ostg.clktrk
_______________________________________________
Snort-users mailing list
Snort...@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
Please visit http://blog.snort.org to stay current on all the latest Snort news!
Michael Steele
Line 23: # alert ip any any -> any any (msg:"OS-LINUX Linux kernel IGMP queries denial of service attempt"; ip_proto:igmp; content:"|11|"; depth:1; content:"|00|"; within:1; isdataat:11; reference:cve,2012-0207; classtype:denial-of-service; sid:25314; rev:2;)
On Tuesday, September 24, 2013 2:55:30 PM UTC-4, JJC wrote:
PCRE wildcard "." In enablesid
Sent from the iRoad
Is there a way to easily enable all the rules using PulledPork
Best regards,
Michael
--
JJC
Sent from the iRoad
I have users asking why they are not seeing any alerts when they install PP, and using the 'security' setting. For testing purposes, I would like to write something up that tells the installer how to enable all the rules for testing purposes only.So I'm adding the next line to the enablesid.conf file, and is it correct?PCRE wildcard "."
Also does the following line in the pulledpork.conf need to be enabled, disabled, or it doesn't matter?ips_policy=securityThe above should activate all the alerts?In the latesest rule set there are three alerts that cause Snort to fail unless they are disabled.os-linux.rules:
Line 23: # alert ip any any -> any any (msg:"OS-LINUX Linux kernel IGMP queries denial of service attempt"; ip_proto:igmp; content:"|11|"; depth:1; content:"|00|"; within:1; isdataat:11; reference:cve,2012-0207; classtype:denial-of-service; sid:25314; rev:2;)server-other.rules:Line 289: # alert ip any any -> $HOME_NET any (msg:"SERVER-OTHER Ethereal IGAP Dissector Buffer Overflow attempt"; ip_proto:igmp; content:"A"; depth:1; byte_test:1,>,64,12,relative; reference:bugtraq,9952; reference:cve,2004-0176; reference:url,secunia.com/advisories/11185; classtype:attempted-admin; sid:20747; rev:3;)Line 290: # alert ip any any -> $HOME_NET any (msg:"SERVER-OTHER Ethereal IGAP Dissector Buffer Overflow attempt"; ip_proto:igmp; content:"A"; depth:1; byte_test:1,>,16,11,relative; reference:bugtraq,9952; reference:cve,2004-0176; reference:url,secunia.com/advisories/11185; classtype:attempted-admin; sid:20746; rev:3;)By enabling all the alerts, what will I need to do to make sure these three rules are disabled after PP enables all the alerts.
To revert back to the original 'ips_policy=security' setting: removing the line added to the 'enablesid.conf ' file, and run PP again?
Will the three disabled rules above need to be removed, or will it matter?
Michael Steele
Windows
Best regards,
Michael
From: pulledpo...@googlegroups.com [mailto:pulledpo...@googlegroups.com] On Behalf Of JJC
Sent: Tuesday, February 18, 2014 11:00 AM
To: pulledpo...@googlegroups.com
Cc: pulledpo...@googlegroups.com; <snort...@lists.sourceforge.net>
Michael Steele
I have set the enablesid.conf to:
PCRE wildcard "."
After running PP I get:
Cleanup....
removed 120 temporary snort files or directories from d:\winids\pulled
rk\temp/tha_rules!
Activating security rulesets....
Done
Modifying Sids....
Done!
Processing d:\winids\pulledpork\etc\enablesid.conf....
Modified 0 rules
Done
Processing d:\winids\pulledpork\etc\dropsid.conf....
Modified 0 rules
Done
Processing d:\winids\pulledpork\etc\disablesid.conf....
Modified 0 rules
Done
Setting Flowbit State....
Enabled 717 flowbits
Enabled 25 flowbits
Enabled 4 flowbits
Enabled 2 flowbits
Done
Writing d:\winids\snort\rules\winids.rules....
Done
Generating sid-msg.map....
Done
Writing v1 d:\winids\snort\etc\sid-msg.map....
Done
Writing d:\winids\snort\log\sid_changes.log....
Done
Rule Stats...
New:-------54
Deleted:---15
Enabled Rules:----6423
Dropped Rules:----0
Disabled Rules:---13662
Total Rules:------20085
No IP Blacklist Changes
Done
Please review d:\winids\snort\log\sid_changes.log for additional details
Fly Piggy Fly!
D:\winids>taskkill /F /IM barnyard2.exe
SUCCESS: The process "barnyard2.exe" with PID 3248 has been terminated.
D:\winids>d:\winids\barnyard2\barnyard2.exe -c d:\winids\barnyard2\etc\barnyar
.conf -d d:\winids\snort\log -f merged.log -l d:\winids\barnyard2 -w d:\winids
nort\log\barnyard.waldo
Running in Continuous mode
--== Initializing Barnyard2 ==--
Initializing Input Plugins!
Initializing Output Plugins!
Parsing config file "d:\winids\barnyard2\etc\barnyard2.conf"
+[ Signature Suppress list ]+
----------------------------
+[No entry in Signature Suppress List]+
----------------------------
+[ Signature Suppress list ]+
Barnyard2 spooler: Event cache size set to [32768]
Log directory = d:\winids\barnyard2
INFO database: Defaulting Reconnect/Transaction Error limit to 10
INFO database: Defaulting Reconnect sleep time to 5 second
database: compiled support for (postgresql)
database: configured to use mysql
database: schema version = 107
database: host = winids
database: user = snort
database: database name = snort
database: sensor name = WinIDS-Home
database: sensor id = 1
database: sensor cid = 12227
database: data encoding = hex
database: detail level = full
database: ignore_bpf = no
database: using the "log" facility
--== Initialization Complete ==--
______ -*> Barnyard2 <*-
/ ,,_ \ Version 2.1.13 (Build 327)
|o" )~| By Ian Firns (SecurixLive): http://www.securixlive.com/
+ '''' + (C) Copyright 2008-2013 Ian Firns <fir...@securixlive.com>
Using waldo file 'd:\winids\snort\log\barnyard.waldo':
spool directory = d:\winids\snort\log
spool filebase = merged.log
time_stamp = 1392732390
record_idx = 0
Opened spool file 'd:\winids\snort\log/merged.log.1392732390'
Waiting for new data
Best regards,
Michael
From: pulledpo...@googlegroups.com [mailto:pulledpo...@googlegroups.com] On Behalf Of JJC
Sent: Tuesday, February 18, 2014 11:00 AM
To: pulledpo...@googlegroups.com
Cc: pulledpo...@googlegroups.com; <snort...@lists.sourceforge.net>
Michael Steele
On Tuesday, September 24, 2013 2:55:30 PM UTC-4, JJC wrote:
PCRE wildcard "." In enablesid
Sent from the iRoad
Is there a way to easily enable all the rules using PulledPork
Best regards,
Michael
--