I want to personalize Snort?


(Jonathan Dumont) #1

Hi;

If I understand well on NethServer snort use those rules
https://rules.emergingthreatspro.com/open/snort-2.9.0/rules/emerging.conf

I understand I should make a custom template, but I still have difficulties to understand templates-custom and how to make it

So i’m asking help to build a template-custom for activate those two rules
#include $RULE_PATH/emerging-dshield.rules
#include $RULE_PATH/emerging-ciarmy.rules


IPS not working
(Filippo Carletti) #2

snort rules customizations have to be done using pulledpork.

  1. set mode to expert in IPS interface
  2. adjust pulledpork config files /etc/snort/enablesid.conf / dropsid.conf / disablesid.conf

ciarmy and dshield are enabled by default in custom mode.
I can share my snort custom config.


(Jonathan Dumont) #3

It will be my pleasure to see your configuration,
it will maybe inspiring me
usually I’m using Level1 list of iBlocklist
https://www.iblocklist.com/lists.php

but after comparing; the actual Emerging list look more complete.


IPS error on expert mode, ssl_version
(Filippo Carletti) #4

Config is targeted to my env (i.e. ssh and irc heavy user, etc).

/etc/snort/dropsid.conf

pcre:ET DROP
pcre:ET TROJAN
pcre:ET CNC
pcre:ET MALWARE
pcre:ET COMPROMISED
pcre:ET CURRENT_EVENTS

/etc/snort/disablesid.conf

pcre:Tor
pcre:Google
pcre:Dropbox
# yum
1:2013505
# apt
1:2013504
emerging-chat
# curl
1:2013028
# IRC ping/pong alerts
pcre:ET CHAT
pcre:GPL CHAT
ET-chat
# chat
1:2002023
1:2002024
1:2002025
1:2002026
1:2002027
1:2002028
1:2101639
1:2101640
1:2101729
# ssh scan outbound
1:2003068
pcre:ET TROJAN IRC
# ET TROJAN Possible Downadup FP bittorrent
1:2009205
1:2009206
1:2009207
1:2009208
# ssl_version
1:2019417
1:2019418
pcre:POODLE
pcre:SENSITIVE-DATA
# anubis
1:2019632