How to disable some rules in Snorby
492 views
Skip to first unread message
bar...@openmailbox.org
Apr 25, 2014, 4:45:32 AM4/25/14
to securit...@googlegroups.com
Salutaions I hope everyone is well this night
I am trying to disable some rules in snorby that are causing too much
logging like ubuntu apt-get's.
I have /etc/nsm/pulledpork/disablesid.conf set up and contains the ID of
the rules I do not want to log. At the moment, this contains:
1:2013504 #ubuntu updates
1:2001595 #skype
But when I try this it does nothing. the events still get logged. I
have restarted relevant services and have gone as far as rebooting but
still it logs.
Any persons know what I might be doing wrong?
I am trying to disable some rules in snorby that are causing too much
logging like ubuntu apt-get's.
I have /etc/nsm/pulledpork/disablesid.conf set up and contains the ID of
the rules I do not want to log. At the moment, this contains:
1:2013504 #ubuntu updates
1:2001595 #skype
But when I try this it does nothing. the events still get logged. I
have restarted relevant services and have gone as far as rebooting but
still it logs.
Any persons know what I might be doing wrong?
Heine Lysemose
Apr 25, 2014, 8:10:48 AM4/25/14
to securit...@googlegroups.com
Hi
Have you executed sudo rule-update after you edited disablesid.conf?
Regards,
Lysemose
--
You received this message because you are subscribed to the Google Groups "security-onion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to security-onion+unsubscribe@googlegroups.com.
To post to this group, send email to security-onion@googlegroups.com.
Visit this group at http://groups.google.com/group/security-onion.
For more options, visit https://groups.google.com/d/optout.
bar...@openmailbox.org
Apr 25, 2014, 9:19:32 AM4/25/14
to securit...@googlegroups.com, Heine Lysemose
On 2014-04-25 12:10, Heine Lysemose wrote:
> Have you executed sudo rule-update after you edited disablesid.conf?
Sorry I left that out, yes I issued /usr/bin/rule-update as root after
> Have you executed sudo rule-update after you edited disablesid.conf?
each update of the file.
Heine Lysemose
Apr 25, 2014, 10:18:51 AM4/25/14
to bar...@openmailbox.org, securit...@googlegroups.com
Could you paste in the rules, it might be because of flowbits.
Regards,
Lysemose
bar...@openmailbox.org
Apr 25, 2014, 10:30:36 AM4/25/14
to Heine Lysemose, securit...@googlegroups.com
On 2014-04-25 14:18, Heine Lysemose wrote:
> Could you paste in the rules, it might be because of flowbits.
here you go (also were in first email
> Could you paste in the rules, it might be because of flowbits.
1:2013504 #ubuntu updates
1:2001595 #skype
#ubuntu updates
1:2013504
#skype
1:2001595
Heine Lysemose
Apr 25, 2014, 1:15:09 PM4/25/14
to bar...@openmailbox.org, securit...@googlegroups.com
I meant the whole rule not just the rule number.
Regards ,
Lysemose
bar...@openmailbox.org
Apr 25, 2014, 2:54:06 PM4/25/14
to Heine Lysemose, securit...@googlegroups.com
On 2014-04-25 17:15, Heine Lysemose wrote:
> I meant the whole rule not just the rule number.
Ah sorry.
> I meant the whole rule not just the rule number.
The plot thicken the rule are commented out in
/etc/nsm/rules/downloaded.rules but still getting recorded.
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY
GNU/Linux APT User-Agent Outbound likely related to package management";
flow:established,to_server; content:"APT-HTTP|2F|"; http_header;
reference:url,help.ubuntu.com/community/AptGet/Howto;
classtype:not-suspicious; sid:2013504; rev:3;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CHAT
Skype VOIP Checking Version (Startup)"; flow: to_server,established;
content:"/ui/"; http_uri; nocase; content:"/getlatestversion?ver=";
http_uri; nocase;
reference:url,www1.cs.columbia.edu/~library/TR-repository/reports/reports-2004/cucs-039-04.pdf;
reference:url,doc.emergingthreats.net/2001595;
classtype:policy-violation; sid:2001595; rev:10;)
bar...@openmailbox.org
Apr 25, 2014, 3:20:58 PM4/25/14
to Heine Lysemose, securit...@googlegroups.com
There is a sid-msg.map in the same directory which has the following
uncommented
2013504 || ET POLICY GNU/Linux APT User-Agent Outbound likely related to
package management || url,help.ubuntu.com/community/AptGet/Howto
2001595 || ET CHAT Skype VOIP Checking Version (Startup) ||
url,doc.emergingthreats.net/2001595 ||
url,www1.cs.columbia.edu/~library/TR-repository/reports/reports-2004/cucs-039-04.pdf
uncommented
2013504 || ET POLICY GNU/Linux APT User-Agent Outbound likely related to
package management || url,help.ubuntu.com/community/AptGet/Howto
2001595 || ET CHAT Skype VOIP Checking Version (Startup) ||
url,doc.emergingthreats.net/2001595 ||
url,www1.cs.columbia.edu/~library/TR-repository/reports/reports-2004/cucs-039-04.pdf
Doug Burks
Apr 25, 2014, 6:54:36 PM4/25/14
to securit...@googlegroups.com
If the rules are commented out in downloaded.rules but you're still
receiving alerts, one possibility would be that you generated a large
number of alerts while the rule was still enabled resulting in a
backlog that it's still processing.
How many alerts are coming in and how quickly?
> To post to this group, send email to securit...@googlegroups.com.
Doug Burks
receiving alerts, one possibility would be that you generated a large
number of alerts while the rule was still enabled resulting in a
backlog that it's still processing.
How many alerts are coming in and how quickly?
> --
> You received this message because you are subscribed to the Google Groups
> "security-onion" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to security-onio...@googlegroups.com.
> You received this message because you are subscribed to the Google Groups
> "security-onion" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> To post to this group, send email to securit...@googlegroups.com.
> Visit this group at http://groups.google.com/group/security-onion.
> For more options, visit https://groups.google.com/d/optout.
--
> For more options, visit https://groups.google.com/d/optout.
Doug Burks
bar...@openmailbox.org
Apr 26, 2014, 3:14:36 AM4/26/14
to securit...@googlegroups.com, Doug Burks
On 2014-04-25 22:54, Doug Burks wrote:
> If the rules are commented out in downloaded.rules but you're still
> receiving alerts, one possibility would be that you generated a large
> number of alerts while the rule was still enabled resulting in a
> backlog that it's still processing.
>
> How many alerts are coming in and how quickly?
Very few, maybe a couple every hour and the rules have been disabled for
> If the rules are commented out in downloaded.rules but you're still
> receiving alerts, one possibility would be that you generated a large
> number of alerts while the rule was still enabled resulting in a
> backlog that it's still processing.
>
> How many alerts are coming in and how quickly?
5+ weeks now but are still being logged as of yesterday.
Between being disabled and today, the box has been rebooted, powered off
and had the monitor interface disconnected for 2 days.
Doug Burks
Apr 27, 2014, 8:04:21 AM4/27/14
to securit...@googlegroups.com
Could you provide screenshots of the alerts?
Is this a single standalone box?
--
Doug Burks
Is this a single standalone box?
Doug Burks
bar...@openmailbox.org
May 2, 2014, 5:15:58 AM5/2/14
to securit...@googlegroups.com, Doug Burks
On 2014-04-27 12:04, Doug Burks wrote:
> Could you provide screenshots of the alerts?
>
> Is this a single standalone box?
Sorry for the delay Doug.
> Could you provide screenshots of the alerts?
>
> Is this a single standalone box?
It is a single stadalone box, which due to other reasons I've had to
re-install this week but the 12.04.4 ISO.
Following the reinstall the disabling of rules is working as expected
now
thanks everyone for the assistance
~~bark
Kasie K. Awagu
Aug 22, 2018, 6:10:09 AM8/22/18
to security-onion
Please what does this rule mean?
Kasie K. Awagu
Aug 22, 2018, 6:10:11 AM8/22/18
to security-onion
Please what does this rule mean?
Wes Lambert
Aug 22, 2018, 7:09:36 AM8/22/18
to securit...@googlegroups.com
Hi Kasie,
You may want to upgrade to the latest version of Security Onion, as Snorby is no longer supported.
Thanks,
Wes
--
Follow Security Onion on Twitter!
https://twitter.com/securityonion
---
You received this message because you are subscribed to the Google Groups "security-onion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
To post to this group, send email to securit...@googlegroups.com.
Visit this group at https://groups.google.com/group/security-onion.
For more options, visit https://groups.google.com/d/optout.
Wes Lambert
Aug 22, 2018, 8:28:13 AM8/22/18
to securit...@googlegroups.com
To follow up with typical disabling of rules, this is done through the use of Pulledpork's disablesid.conf and thresholding can be achieved through threshold.conf.
Please see:
Thanks,
Wes
Reply all
Reply to author
Forward
0 new messages