Menu
▾
▴
snort-inline-users
|
From: Robert M. <rv...@gm...> - 2008-04-15 21:09:53
|
Does anyone have a good set of snort_inline rules or know a good location to find them? Rob |
|
From: xyon <xy...@in...> - 2008-04-15 21:18:52
|
You could try these: http://www.snort.org/pub-bin/downloads.cgi#COMM (Community section) On Tue, 2008-04-15 at 16:09 -0500, Robert Mcmillen wrote: > Does anyone have a good set of snort_inline rules or know a good > location to find them? > > Rob > > ------------------------------------------------------------------------- > This SF.net email is sponsored by the 2008 JavaOne(SM) Conference > Don't miss this year's exciting event. There's still time to save $100. > Use priority code J8TL2D2. > http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone > _______________________________________________ > Snort-inline-users mailing list > Sno...@li... > https://lists.sourceforge.net/lists/listinfo/snort-inline-users |
|
From: Robert M. <rv...@gm...> - 2008-04-15 22:13:37
|
Community section is only for snort right? Does not have snort_inline specific rules? Rob On Apr 15, 2008, at 4:18 PM, xyon wrote: > You could try these: > > http://www.snort.org/pub-bin/downloads.cgi#COMM > > (Community section) > > On Tue, 2008-04-15 at 16:09 -0500, Robert Mcmillen wrote: >> Does anyone have a good set of snort_inline rules or know a good >> location to find them? >> >> Rob >> >> ------------------------------------------------------------------------- >> This SF.net email is sponsored by the 2008 JavaOne(SM) Conference >> Don't miss this year's exciting event. There's still time to save >> $100. >> Use priority code J8TL2D2. >> http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone >> _______________________________________________ >> Snort-inline-users mailing list >> Sno...@li... >> https://lists.sourceforge.net/lists/listinfo/snort-inline-users > |
|
From: xyon <xy...@in...> - 2008-04-15 22:33:44
|
I typically download the rules, then run oinkmaster configured with a regex to prefix all rules with "drop: " instead of "alert: ". I then run snort (2.7.0) with the -Q switch. HTH On Tue, 2008-04-15 at 17:13 -0500, Robert Mcmillen wrote: > Community section is only for snort right? Does not have snort_inline > specific rules? > > Rob > > On Apr 15, 2008, at 4:18 PM, xyon wrote: > > > You could try these: > > > > http://www.snort.org/pub-bin/downloads.cgi#COMM > > > > (Community section) > > > > On Tue, 2008-04-15 at 16:09 -0500, Robert Mcmillen wrote: > >> Does anyone have a good set of snort_inline rules or know a good > >> location to find them? > >> > >> Rob > >> > >> ------------------------------------------------------------------------- > >> This SF.net email is sponsored by the 2008 JavaOne(SM) Conference > >> Don't miss this year's exciting event. There's still time to save > >> $100. > >> Use priority code J8TL2D2. > >> http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone > >> _______________________________________________ > >> Snort-inline-users mailing list > >> Sno...@li... > >> https://lists.sourceforge.net/lists/listinfo/snort-inline-users > > > > > ------------------------------------------------------------------------- > This SF.net email is sponsored by the 2008 JavaOne(SM) Conference > Don't miss this year's exciting event. There's still time to save $100. > Use priority code J8TL2D2. > http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone > _______________________________________________ > Snort-inline-users mailing list > Sno...@li... > https://lists.sourceforge.net/lists/listinfo/snort-inline-users |
|
From: Robert M. <rv...@gm...> - 2008-04-15 22:48:31
|
Any issues with proper service operation due the change of all alert rules to drop? Do you exclude any rule files from snort_inline.conf or do you use every single snort rule converted to drop? Thank in advance, Rob On Apr 15, 2008, at 5:33 PM, xyon wrote: > I typically download the rules, then run oinkmaster configured with a > regex to prefix all rules with "drop: " instead of "alert: ". I then > run > snort (2.7.0) with the -Q switch. > > HTH |
|
From: Joel E. <es...@gm...> - 2008-04-15 22:56:37
|
Afaik there are not a specific set of rules that are by default set to drop. You'd need to do this using oinkmaster or something. As far as rulesets, there a bunch out there! -- Joel Esler Sent from the iRoad. On Apr 15, 2008, at 6:48 PM, Robert Mcmillen <rv...@gm...> wrote: > Any issues with proper service operation due the change of all alert > rules to drop? > > Do you exclude any rule files from snort_inline.conf or do you use > every single snort rule converted to drop? > > Thank in advance, > > Rob > > > On Apr 15, 2008, at 5:33 PM, xyon wrote: > >> I typically download the rules, then run oinkmaster configured with a >> regex to prefix all rules with "drop: " instead of "alert: ". I then >> run >> snort (2.7.0) with the -Q switch. >> >> HTH > > --- > ---------------------------------------------------------------------- > This SF.net email is sponsored by the 2008 JavaOne(SM) Conference > Don't miss this year's exciting event. There's still time to save > $100. > Use priority code J8TL2D2. > http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone > _______________________________________________ > Snort-inline-users mailing list > Sno...@li... > https://lists.sourceforge.net/lists/listinfo/snort-inline-users |
|
From: Will M. <wil...@gm...> - 2008-04-16 00:10:38
|
I think it is assumed rules will be tweaked for ones own environment. Rob, I think that you are kind of in a unique situation in that you are trying to protect the rest of the world from your network. Some things to stay away from... Anything with flowbits:noalert; you want to make sure you don't set to drop as a lot of these rules are used in protocol identification/behavior, and are later checked in a separate rule that does alert/drop. Ditch the replace ruleset. The problem with this is that now that you have pcre, uricontent, and other normalized data it is not safe to generate a ruleset that will replace the content matches in the rule. You might have a content match that is also used for protocol identification/behavior and the bad juju lives in the pcre and or uricontent portion of the rule. Maybe for Honeywall you leave this as an exercise for the user. Just a suggestion... Regards, Will On Tue, Apr 15, 2008 at 5:56 PM, Joel Esler <es...@gm...> wrote: > Afaik there are not a specific set of rules that are by default set to > drop. You'd need to do this using oinkmaster or something. As far as > rulesets, there a bunch out there! > > -- > Joel Esler > Sent from the iRoad. > > > > On Apr 15, 2008, at 6:48 PM, Robert Mcmillen <rv...@gm...> wrote: > > > Any issues with proper service operation due the change of all alert > > rules to drop? > > > > Do you exclude any rule files from snort_inline.conf or do you use > > every single snort rule converted to drop? > > > > Thank in advance, > > > > Rob > > > > > > On Apr 15, 2008, at 5:33 PM, xyon wrote: > > > >> I typically download the rules, then run oinkmaster configured with a > >> regex to prefix all rules with "drop: " instead of "alert: ". I then > >> run > >> snort (2.7.0) with the -Q switch. > >> > >> HTH > > > > --- > > ---------------------------------------------------------------------- > > This SF.net email is sponsored by the 2008 JavaOne(SM) Conference > > Don't miss this year's exciting event. There's still time to save > > $100. > > Use priority code J8TL2D2. > > http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone > > _______________________________________________ > > Snort-inline-users mailing list > > Sno...@li... > > https://lists.sourceforge.net/lists/listinfo/snort-inline-users > > ------------------------------------------------------------------------- > This SF.net email is sponsored by the 2008 JavaOne(SM) Conference > Don't miss this year's exciting event. There's still time to save $100. > Use priority code J8TL2D2. > http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone > _______________________________________________ > Snort-inline-users mailing list > Sno...@li... > https://lists.sourceforge.net/lists/listinfo/snort-inline-users > |
|
From: Matt J. <jo...@jo...> - 2008-04-16 02:14:42
|
There's emergingthreats.net as well of course (www.emergingthreats.net/rules) But no matter what set you use, you'll have to go through and look at every sig and decide if you want to block, and if so which side to block (src, dest, both, etc) It's a horribly tedious task, but necessary. And you'll find your understanding of the ruleset much greater once you're done. When I have to do so I try to set a chunk of the ruleset a day to get done. Pick a category a day for the smaller ones. But don't try to power through it all in one sitting, you'll glaze over and miss stuff. Matt Robert Mcmillen wrote: > Does anyone have a good set of snort_inline rules or know a good > location to find them? > > Rob > > ------------------------------------------------------------------------- > This SF.net email is sponsored by the 2008 JavaOne(SM) Conference > Don't miss this year's exciting event. There's still time to save $100. > Use priority code J8TL2D2. > http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone > _______________________________________________ > Snort-inline-users mailing list > Sno...@li... > https://lists.sourceforge.net/lists/listinfo/snort-inline-users -- -------------------------------------------- Matthew Jonkman Emerging Threats Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net -------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc |
×
Want the latest updates on software, tech news, and AI?
Get latest updates about software, tech news, and AI from SourceForge directly in your inbox once a month.
Thanks for helping keep SourceForge clean.
X