Snort Rules Being Disabled
Christopher Lowson
Disabled Rules:---3484
Rule Stats....
New:-------0
Deleted:---0
Enabled Rules:----16169
Dropped Rules:----0
Disabled Rules:---3484
Total Rules:------19653
Done
I removed this line in the /etc/nsm/pulledpork/pulledpork.conf
ignore=deleted.rules,experimental.rules,local.rules
but it had no effect...
Any ideas?
Thanks
Christopher Lowson
I get flooded with "stream5: TCP Small Segment Theeshold Exceeded" Alerts
Matt Gregory
See these Wiki links:
https://code.google.com/p/security-onion/wiki/ManagingAlerts
https://code.google.com/p/security-onion/wiki/AddingLocalRules
Also if I add / sub snort.org rules where do they go/how can I disable rules I don't want? They don't seem to be added to the /etc/nsm/rules folder.
I get flooded with "stream5: TCP Small Segment Theeshold Exceeded" Alerts
--
You received this message because you are subscribed to the Google Groups "security-onion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
To post to this group, send email to securit...@googlegroups.com.
Visit this group at http://groups.google.com/group/security-onion.
For more options, visit https://groups.google.com/groups/opt_out.
Christopher Lowson
> Hi Christopher,
>
> Although a great number of rules are enabled by default if you do no tuning, not all of them are. You'll want to tune your rules down to the 5,000-6,000 range for performance reasons and to reduce false positives.
>
>
> You can disable and enable rules and/or categories by adding them to /etc/nsm/pulledpork/disablesid.conf and /etc/nsm/pulledpork/enablesid.conf, respectively.
>
>
> See these Wiki links:
>
> https://code.google.com/p/security-onion/wiki/ManagingAlerts
>
> https://code.google.com/p/security-onion/wiki/AddingLocalRules
>
>
> Matt
I have followed all of these without issues but I still see 3484 rules disabled, I was wondering why and if they rules downloaded like this or an option inside the system was blocking it.
I removed the ignore=deleted.rules,experimental.rules,local.rules
but it had now effect.
As for my second question.
I enabled the snort.org rules but I can't seem the disable some sections of the rules like preproc_rules/preprocessor.rules, I added preprocessor.rules to the config file for pulledpork.conf to ignore but it had no effect and I was unable to find the location of the new .rules files, they are not with the others.
Doug Burks
What's the output of the following?
ls -alh /etc/nsm/rules/
> You received this message because you are subscribed to the Google Groups "security-onion" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
> To post to this group, send email to securit...@googlegroups.com.
> Visit this group at http://groups.google.com/group/security-onion.
> For more options, visit https://groups.google.com/groups/opt_out.
Doug Burks
Christopher Lowson
> Hi Chris,
>
>
>
> What's the output of the following?
>
>
>
> ls -alh /etc/nsm/rules/
Hey Doug,
~# ls -alh /etc/nsm/rules/
total 12M
drwxr-xr-x 3 root root 4.0K Feb 27 21:14 .
drwxr-xr-x 7 root root 4.0K Feb 26 00:17 ..
drwxr-xr-x 2 root root 4.0K Feb 27 21:24 backup
-rw-r--r-- 1 root root 0 Feb 25 21:27 black_list.rules
-rw-r--r-- 1 root root 0 Feb 26 00:17 bpf.conf
lrwxrwxrwx 1 root root 25 Feb 26 00:18 bro -> /opt/bro/share/bro/policy
-rw-r--r-- 1 root root 12K May 29 2013 decoder-events.rules
-rw-r--r-- 1 root root 8.3M Feb 27 21:24 downloaded.rules
-rw-r--r-- 1 root root 2.8K Feb 26 21:10 files.rules
-rw-r--r-- 1 root root 6.9K May 29 2013 http-events.rules
-rw-r--r-- 1 root root 0 Dec 18 2012 local.rules
-rw-r--r-- 1 root root 2.8M Feb 27 21:24 sid-msg.map
-rw-r--r-- 1 root root 2.4K Nov 1 2012 smtp-events.rules
-rw-r--r-- 1 root root 0 Feb 27 21:24 so_rules.rules
-rw-r--r-- 1 root root 9.5K May 29 2013 stream-events.rules
-rw-r--r-- 1 root root 2.5K Feb 26 00:17 threshold.conf
-rw-r--r-- 1 root root 0 Feb 25 21:27 white_list.rules
For the second question:
I found the rules but still having issues...
My issue is after enabling the snort.org rules I was flooded with these stream5 rules (see image rules.PNG)
When I went to see what the rule was I get a message say it is unable to display (see image id.PNG)
When I download the rules tar file I can find the rule here in the msg.map:
Format: File || generatorid || alertid || MSG
etc/gen-msg.map || 129 || 12 || stream5: TCP Small Segment Threshold Exceeded
etc/gen-msg.map || 138 || 5 || sensitive_data: sensitive data - eMail addresses
Now this shows me the generatorid and the alertid.
The alertid matches the same value listed in the Database:
| 1096 | stream5: TCP Small Segment Threshold Exceeded | 12 |
| 40 | stream5: Reset outside window | 15 |
| 3 | sensitive_data: sensitive data global threshold exceeded | 1 |
When I attempt to disable this SID in pulledpork/disablesid.conf there is not change to the rules that are pushed to the sensors.
Any ideas?
Christopher Lowson
Im going to add both the generatorid and the alertid in the disablesid.conf as i seem to have over looked that and only add the 1: as I have always done.
Christopher Lowson
> Might have answered my own question,
>
> Im going to add both the generatorid and the alertid in the disablesid.conf as i seem to have over looked that and only add the 1: as I have always done.
Looks like it worked, I overlooked the disabling it needs both generatorid and the alertid