Questions on Disabling Rule Categories

908 views
Skip to first unread message

Kevin O'Grady

unread,
Apr 6, 2016, 1:37:53 PM4/6/16
to security-onion
Hey everyone,
I'm following the wiki to disable specific categories within the disabled.conf file and noticed something that I thought was odd.

Within the disabled.conf I've added ET TOR as to disable tor-based alerts. Prior to doing so here's the output of sudo rule-update:

Processing /etc/nsm/pulledpork/enablesid.conf....
Modified 0 rules
Done
Processing /etc/nsm/pulledpork/dropsid.conf....
Modified 0 rules
Done
Processing /etc/nsm/pulledpork/disablesid.conf....
Modified 51 rules
Done
Setting Flowbit State....
Enabled 54 flowbits
Done
Writing /etc/nsm/rules/downloaded.rules....
Done
Generating sid-msg.map....
Done
Writing v1 /etc/nsm/rules/sid-msg.map....
Done
Writing /var/log/nsm/sid_changes.log....
Done
Rule Stats...
New:-------46
Deleted:---12
Enabled Rules:----26841
Dropped Rules:----0
Disabled Rules:---24236
Total Rules:------51077
No IP Blacklist Changes
Done

Once I add the ET TOR into the disabled.conf file and ran sudo rule-update and the number of enabled rules dropped by 18,367 rules. I understand that some rules are dependent on others but this seems like a drastic change. Is it bad practice to be disabling rules by category?

Here's the output after the change:

Processing /etc/nsm/pulledpork/enablesid.conf....
Modified 0 rules
Done
Processing /etc/nsm/pulledpork/dropsid.conf....
Modified 0 rules
Done
Processing /etc/nsm/pulledpork/disablesid.conf....
Modified 18373 rules
Done
Setting Flowbit State....
Enabled 9 flowbits
Done
Writing /etc/nsm/rules/downloaded.rules....
Done
Generating sid-msg.map....
Done
Writing v1 /etc/nsm/rules/sid-msg.map....
Done
Writing /var/log/nsm/sid_changes.log....
Done
Rule Stats...
New:-------46
Deleted:---12
Enabled Rules:----8474
Dropped Rules:----0
Disabled Rules:---42603
Total Rules:------51077
No IP Blacklist Changes
Done

Thanks!
Kevin

Wes

unread,
Apr 6, 2016, 1:42:32 PM4/6/16
to security-onion

Kevin,

I'm not sure I would say disabling entire categories is bad practice--it all depends on your environment and what you care about.

You can see the listing of categories and the rule count for each in downloaded.rules by running:

cut -d\" -f2 /etc/nsm/rules/downloaded.rules | awk '{print $1, $2}'|sort |uniq -c |sort -nr

Thanks,
Wes

Heine Lysemose

unread,
Apr 6, 2016, 1:47:29 PM4/6/16
to Kevin O'Grady, security-onion

Hi Kevin

 

Can you provide the content of disablesid.conf

 

Regards,

Lysemose

--

Follow Security Onion on Twitter!

https://twitter.com/securityonion

---

You received this message because you are subscribed to the Google Groups "security-onion" group.

To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.

To post to this group, send email to securit...@googlegroups.com.

Visit this group at https://groups.google.com/group/security-onion.

For more options, visit https://groups.google.com/d/optout.

 

Kevin O'Grady

unread,
Apr 6, 2016, 2:15:28 PM4/6/16
to security-onion, ogrady....@gmail.com
Here's the output of the disabled.conf -

sudo vi /etc/nsm/pulledpork/disablesid.conf
# example disablesid.conf V3.1

# Example of modifying state for individual rules
# 1:1034,1:9837,1:1270,1:3390,1:710,1:1249,3:13010

# Example of modifying state for rule ranges
# 1:220-1:3264,3:13010-3:13013

# Comments are allowed in this file, and can also be on the same line
# As the modify state syntax, as long as it is a trailing comment
# 1:1011 # I Disabled this rule because I could!

# Example of modifying state for MS and cve rules, note the use of the :
# in cve. This will modify MS09-008, cve 2009-0233, bugtraq 21301,
# and all MS00 and all cve 2000 related sids! These support regular expression
# matching only after you have specified what you are looking for, i.e.
# MS00-<regex> or cve:<regex>, the first section CANNOT contain a regular
# expression (MS\d{2}-\d+) will NOT work, use the pcre: keyword (below)
# for this.
# MS09-008,cve:2009-0233,bugtraq:21301,MS00-\d+,cve:2000-\d+

# Example of using the pcre: keyword to modify rulestate. the pcre keyword
# allows for full use of regular expression syntax, you do not need to designate
# with / and all pcre searches are treated as case insensitive. For more information
# about regular expression syntax: http://www.regular-expressions.info/
# The following example modifies state for all MS07 through MS10
# pcre:MS(0[7-9]|10)-\d+

# Example of modifying state for specific categories entirely (see README.CATEGORIES)
# VRT-web-iis,ET-shellcode,ET-emergingthreats-smtp,Custom-shellcode,Custom-emergingthreats-smtp

# Any of the above values can be on a single line or multiple lines, when
# on a single line they simply need to be separated by a ,
# 1:9837,1:220-1:3264,3:13010-3:13013,pcre:MS(0[0-7])-\d+,MS09-008,cve:2009-0233

# The modifications in this file are for sample/example purposes only and
# should not actively be used, you need to modify this file to fit your
# environment.

# Added by Security Onion Setup
stream-events
pcre:SURICATA\ ICMPv6

# Disabled rules
ET TOR
~
~
~
~
~
~
~
~

Kevin O'Grady

unread,
Apr 6, 2016, 2:18:18 PM4/6/16
to security-onion
Hi Wes,
That's what I've been doing which is why I got a bit nervous that there's only 787 ET TOR rules but it affected so many more than that once it was disabled. I can grep the rules list for all tor rules and add just those to the disabled file but that seems like overkill. Any ideas?
Thanks!
Kevin

Wes

unread,
Apr 6, 2016, 2:42:54 PM4/6/16
to security-onion

You could try "emerging-tor" to see if the results are different.

https://github.com/shirkdog/pulledpork/blob/master/doc/README.CATEGORIES

Thanks,
Wes

Kevin O'Grady

unread,
Apr 6, 2016, 3:36:15 PM4/6/16
to security-onion
Wes,

Tried commenting out all the rules and ran a rule-update to get a clear idea of the number of rules it would affect. The total enabled rules were 26,841.

Then went back and tried using only "emerging-tor" followed by a rule update and the enabled rule count is still at 26,841. So there was no change using emerging-tor in the disabled.conf file.

Thanks,
Kevin

Wes

unread,
Apr 6, 2016, 10:31:27 PM4/6/16
to security-onion

Kevin,

Try using "ET-emerging-tor". This seems to work for me.

Thanks,
Wes

Kevin O'Grady

unread,
Apr 7, 2016, 2:14:13 PM4/7/16
to security-onion
Wes,

Gave that a shot and still no change in the number of disabled rules. I'm running suricata, is there anything that differs from how rules would be disabled in snort?

Thanks!
Kevin

Wes

unread,
Apr 7, 2016, 2:34:38 PM4/7/16
to security-onion

Kevin,

It may be a bit different for Suricata.

Try the following:

"ET-tor"

Thanks,
Wes

Kevin O'Grady

unread,
Apr 7, 2016, 3:35:50 PM4/7/16
to security-onion
Wes,

That seemed to do the trick and adjusted the rules down by the proper amount. So are other categories supposed to be listed like ET-*subject*, VRT-*subject*, GPL-*subject*?

Thanks!
Kevin

Wes

unread,
Apr 7, 2016, 3:48:56 PM4/7/16
to security-onion

For Suricata, this looks to be so.

For Snort, it appears something similar to the following would work:

"ET-emerging-tor" (works for me)
https://github.com/shirkdog/pulledpork/blob/master/doc/README.CATEGORIES

The easiest way to know the specific syntax would probably be to look through downloaded.rules for what whatever category you are looking for.

Thanks,
Wes

Reply all
Reply to author
Forward
0 new messages