ET nogpl and VRT Rules issue

[Shane Mullins]

Hello everyone,

SO is running great. When I first setup our new box, I choose Snort with the community rules and ET nogpl rules. Everything worked fine. The ET rules really pointed out some things we needed to address. However, somewhere along the way, I have done something to cause the ET nogpl rules to NOT be loaded into Snort. I did suppress several rules that were very noisy.

Checking pulledpork.conf, I see both rulesets listed:

rule_url=https://www.snort.org/reg-rules/|snortrules-snapshot.tar.gz|252ab820e1205ab7ac6adc4a53bc8c552eb0735e

rule_url=https://rules.emergingthreatspro.com/|emerging.rules.tar.gz|open-nogpl

If I comment out the Snort rules and then run rule-update, the script runs with no errors, and gives these stats:

Rule Stats....
New:-------0
Deleted:---18662
Enabled Rules:----149
Dropped Rules:----0
Disabled Rules:---17265
Total Rules:------17414
Done

Reenabling the Snort rules, se get these stats:

Rule Stats....
New:-------18662
Deleted:---0
Enabled Rules:----9716
Dropped Rules:----0
Disabled Rules:---26359
Total Rules:------36075
Done

Any thoughts as to what I have messed up?

Shane

[Doug Burks]

Hi Shane,

Did you perhaps set a policy (connectivity/security/balanced) in pulledpork.conf?  That setting should not be used with the ET ruleset. 

--
You received this message because you are subscribed to the Google Groups "security-onion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
To post to this group, send email to securit...@googlegroups.com.
Visit this group at http://groups.google.com/group/security-onion.
For more options, visit https://groups.google.com/groups/opt_out.

--
Doug Burks
http://securityonion.blogspot.com

[Shane Mullins]

Thanks Doug,

 

You are correct.  I did set a policy in pulledpork.conf.  I will comment that out now.

 

Thanks so much,

 

Shane

 

[Tom]

Not trying to hijack the thread, but my situation falls along the same lines,

My original configuration is the Security Policy...but now that I have that rule set running fairly well, I would like to expand my rule set.  I was thinking about adding the emerging threats rule set to my configuration, but, I see that might not work unless I remove the policy for the snort rules?

What would be the proper way to go about this?  Disable the snort.org rules, and then load the emerging threat rules, or remove the policy, and get rid of the heavy hitters, and then add the emerging threats or what?  Do you have any thoughts, recommendations?

btw my whole system has been running flawlessly for a long time now, with only one or two days where I had the finicky kernel issue.

Server with 15 sensors, thanks for all your hard work.

On Wed, Oct 23, 2013 at 6:29 PM, Doug Burks <doug....@gmail.com> wrote:

[Shane Mullins]

I should have paid attention a little better:

# What is the base ruleset that you want to use, please uncomment to use
# and see the README.RULESETS for a description of the options.
# Note that setting this value will disable all ET rulesets if you are
# Running such rulesets
# ips_policy=security

[Doug Burks]

Hi Tom,

Yes, if you're going to run ET rules, you MUST disable the VRT
ips_policy setting. Once you do that of course, you'll have all the
VRT rules in their default state and you would need to manually tune
them if you want to keep that ruleset. If you're considering running
both VRT and ET at the same time, you'll need to some HEAVY tuning to
ensure that you don't overwhelm your sensors and/or analysts.

[Shane Mullins]

Thanks so much Doug,

You were right.  Spent most of the morning doing the "heavy" tuning.  This afternoon I will hopefully start working on the fine tuning.

Shane