Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Snort Rule management

From: Marc <marc () mirabilisllc com>
Date: Mon, 6 Sep 2021 21:24:22 +0000
Hi Noah,

Thanks for the response.  I was having issues with both custom and downloaded rule sets.  I did notice that the next 
day the local rule did stop – probably because PulledPork updated the downloaded ruleset and recompiled the combined 
ruleset, as you mention.  I hadn’t considered running PulledPork to do this.  I am running PulledPork 3, so I will try 
the suppress configuration until the disablesid.conf is supported.  Thanks again.

Best Regards,
Marc
From: Noah Dietrich <noah_dietrich () 86penny org>
Sent: Monday, 6 September, 2021 12:16
To: Ian <hartescout () protonmail com>
Cc: Marc <marc () mirabilisllc com>; snort-sigs () lists snort org
Subject: Re: [Snort-sigs] Snort Rule management

it all depends on how you are running snort and which version of PP you're running.
If this is a rule that Is this rule one of your own local rules? If so: comment it out in your local.rules file and 
re-run PulledPork re-create the combined rules file.
if this rule is coming from one of the downloaded rulesets or a built-rule, you have a few options. With PulledPork 2 
you can use the disablesid.conf<https://github.com/shirkdog/pulledpork/blob/master/etc/disablesid.conf> file to disable 
this rule.
if you're running PulledPork3, this functionality is not yet implemented. However, you could configure Snort to 
suppress this alert in it's output (you can do this if you're running PP2 as well, since it's a Snot configuration):

From a similar email i responded to:

I'd recommend you look into using the suppress module in your snort.lua file.  Details are in the snort reference 
manual<https://github.com/snort3/snort3/releases/download/3.1.5.0/snort_reference.pdf> (section 2.30), and there's an 
example here<https://github.com/snort3/snort3_demo/blob/master/tests/framework/suppress/snort.lua>.  I haven't used 
this module, but i think you'd want to include something like the following in your snort.lua file (you'll want to test 
this because i haven't):
suppress = {
    {
        gid = 112,
        sid = 1,
    },
    {
        -- you can add other rules to ignore here
        gid =  1,
        sid = 12345,
    }
}
Noah

On Mon, Sep 6, 2021 at 3:14 PM Ian via Snort-sigs <snort-sigs () lists snort org<mailto:snort-sigs () lists snort org>> 
wrote:
Hi Marc,
Aside from commenting/removing the rules out of your snort.conf file I'm not sure there is any "better way". Keep in 
mind I am only familiar with Snort in lab environments, my team has not been able to use snort in production.
This page is my go-to though, I would look through the manuals section near the bottom. Snort.org Snort3 
Resources<https://www.snort.org/snort3>

Hope that helps some. Take care.

-----------------------------------------------------------
Ian


Sent with ProtonMail<https://protonmail.com/> Secure Email.

‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
On Sunday, September 5th, 2021 at 9:29 AM, Marc <marc () mirabilisllc com<mailto:marc () mirabilisllc com>> wrote:


Hi,



What would be a good reference on managing (not writing) Snort3 Rules?  Specifically, I am running Snort 3.1.6 with SO 
rules and Pulled Pork.  I am having difficulty removing rules (e.g. a noisy ICMP rule ).  I am looking for a concise 
reference or alternately a tutorial on commenting out rules and recompiling them.  I have tried commenting out the rule 
in pulledpork.rules and local.rules and restarting Snort, but that didn’t do it.   Thank you.



Regards,

Marc

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists snort org<mailto:Snort-sigs () lists snort org>
https://lists.snort.org/mailman/listinfo/snort-sigs

Please visit http://blog.snort.org for the latest news about Snort!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette

Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a 
href=" https://snort.org/downloads/#rule-downloads";>emerging threats</a>!

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists snort org
https://lists.snort.org/mailman/listinfo/snort-sigs

Please visit http://blog.snort.org for the latest news about Snort!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette

Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a 
href=" https://snort.org/downloads/#rule-downloads";>emerging threats</a>!
Previous By Date Next
Previous By Thread Next

Current thread: