| View previous topic :: View next topic |
| Author |
Message |
Lundholm
Trooper
Joined: Aug 16, 2007
Posts: 19
|
 Posted: Thu Nov 29, 2007 9:08 am Post subject: NIPS - SNORT rulesets. |
|
|
Hi,
Has anybody else downloaded the full Sourcefire VRT SNORT rulesets and replaced the standard SKPF rulesets? Very effective! I immediately got false backdoor positives for Castlecops and other sites.
The VRT package contains many more rulesets than the SKPF installer. and I am wondering, which rulesets could be important.
Cheers
_________________
O, there has been much throwing about of brains -- Guildenstern, knight of Hamlet, ancestor of G. a. Lundholm.
|
|
| Back to top |
|
 |
DarthTrader
Captain
Joined: Apr 21, 2006
Posts: 433
Location: USA
|
| Posted: Sun Dec 02, 2007 4:05 am Post subject: |
|
|
Most of those rules appear to written for network servers with a lot of client machines that need monitoring. Is that what you have?
|
|
| Back to top |
|
|
Lundholm
Trooper
Joined: Aug 16, 2007
Posts: 19
|
| Posted: Sun Dec 02, 2007 1:54 pm Post subject: |
|
|
| DarthTrader wrote: | | Most of those rules appear to written for network servers with a lot of client machines that need monitoring. Is that what you have? |
Some of the rules are aimed at UNIX boxes, yes.
So you have no hands-on experience with SNORT?
_________________
O, there has been much throwing about of brains -- Guildenstern, knight of Hamlet, ancestor of G. a. Lundholm.
|
|
| Back to top |
|
|
DarthTrader
Captain
Joined: Apr 21, 2006
Posts: 433
Location: USA
|
| Posted: Sun Dec 02, 2007 5:10 pm Post subject: |
|
|
| Lundholm wrote: | Some of the rules are aimed at UNIX boxes, yes.
So you have no hands-on experience with SNORT? |
No real experience with SNORT on UNIX, but I have been playing around with Bleeding Edge rules lately on my XP box:
http://doc.bleedingthreats.net/bin/view/Main/AllRulesets
These can also lead to FPs. Do you have Gateway mode enabled? It is difficult to say what rulesets could be "important" to you without knowing your setup.
|
|
| Back to top |
|
|
Lundholm
Trooper
Joined: Aug 16, 2007
Posts: 19
|
| Posted: Mon Dec 03, 2007 10:08 am Post subject: |
|
|
| DarthTrader wrote: | | No real experience with SNORT on UNIX, but I have been playing around with Bleeding Edge rules lately on my XP box |
I have tried some of the Bleeding Edge rules as well, but some of them are not accepted by KPF.
You don't have any problems with the new Bleeding Edge rules? They look as if they have been written for the new versions of SNORT.
I think that the SKPF SNORT version is quite old, but I don't know how to find out. The default ruleset has not been changed since Kerio 4.2.2. So I use some of the rules for the previous version 2.4 SNORT. This seems to work fine.
_________________
O, there has been much throwing about of brains -- Guildenstern, knight of Hamlet, ancestor of G. a. Lundholm.
|
|
| Back to top |
|
|
DarthTrader
Captain
Joined: Apr 21, 2006
Posts: 433
Location: USA
|
| Posted: Mon Dec 03, 2007 1:17 pm Post subject: |
|
|
| Lundholm wrote: | I have tried some of the Bleeding Edge rules as well, but some of them are not accepted by KPF.
You don't have any problems with the new Bleeding Edge rules? They look as if they have been written for the new versions of SNORT.
I think that the SKPF SNORT version is quite old, but I don't know how to find out. The default ruleset has not been changed since Kerio 4.2.2. So I use some of the rules for the previous version 2.4 SNORT. This seems to work fine. |
Bleeding Edge rules gave FPs so I stopped using them. I now have VRT Certified Rules for Snort v2.4, snortrules-snapshot-2.4.tar.gz (2007-09-11). Is this the one you have? Which rules are you using? Thanks.
|
|
| Back to top |
|
|
IP: 87.60.*.*
Guest
|
| Posted: Mon Dec 03, 2007 2:15 pm Post subject: |
|
|
Yes, that's what I have.
I have replaced the default KPF rulesets: backdoor, bad-traffic, ddos, dos, icmp, misc, scan. I have disabled a handful of backdoor rules. They gave FPs and blocked some web pages.
I have dropped attack-responses and netbios. I have blocked netbios, and it is more than 5k rules! I have tested it, and it delays FW startup a little.
I have added finger, icmp-info and specific-threats (for new hot rules).
You have to edit the rules.idx file of course to reflect the new set and new extensions (rlk -> rules). I think the list must be in alphabetic order.
So now I'm looking for new hot rules. Unfortunately, Bleeding edge seems to be suffering.
|
|
| Back to top |
|
|
Lundholm
Trooper
Joined: Aug 16, 2007
Posts: 19
|
| Posted: Mon Dec 03, 2007 2:21 pm Post subject: |
|
|
Sorry, forgot to login. Castlecops seems to be falling apart today. Lots of disconnects.
_________________
O, there has been much throwing about of brains -- Guildenstern, knight of Hamlet, ancestor of G. a. Lundholm.
|
|
| Back to top |
|
|
DarthTrader
Captain
Joined: Apr 21, 2006
Posts: 433
Location: USA
|
| Posted: Mon Dec 03, 2007 3:18 pm Post subject: |
|
|
Thanks for the information, Lundholm.
From this thread:
http://www.castlecops.com/postlite146270-snort.html
We have a response from Sunbelt Support:
| Quote: | | Sunbelt Kerio Personal Firewall 4 only supports a subset of the rules from Snort. It is possible that a rule that you imported can contain an item that the firewall doesn't understand and cause it to lock up. |
Looking at the rules.idx file, I assume he is referring to the "community-" rules. I copied a few SNORT 2.4 rule files, such as icmp.rules, into the IDSRules directory and renamed them to community-icmp.rlk, etc. and re-booted. All is well, but I don't think I will try anything not listed in rules.idx.
Byt the way, I recall receiving a popup notice a few weeks ago advising me that the Sunbelt rules had been updated. I downloaded the new rules and now my default .rlk files are dated 11/18/2007. Is that what you have?
|
|
| Back to top |
|
|
Lundholm
Trooper
Joined: Aug 16, 2007
Posts: 19
|
| Posted: Mon Dec 03, 2007 3:37 pm Post subject: |
|
|
That's interesting info from Sunbelt. It is correct in the sense that the rule language has developed over time. That's why it's important to use the version 2.4 rules, I think. If Kerio used the standard SNORT SW, then there should be no problem.
Anyway, I have seen no problems other than FPs, and the NIPS function (or part of it) can be disabled easily, if I have serious problems.
I don't do Sunbelt updates. Maybe I should download the latest installer and check the rule files - maybe not?
_________________
O, there has been much throwing about of brains -- Guildenstern, knight of Hamlet, ancestor of G. a. Lundholm.
|
|
| Back to top |
|
|
DarthTrader
Captain
Joined: Apr 21, 2006
Posts: 433
Location: USA
|
| Posted: Mon Dec 03, 2007 4:10 pm Post subject: |
|
|
| Lundholm wrote: | | I don't do Sunbelt updates. Maybe I should download the latest installer and check the rule files - maybe not? |
I doubt if the latest installer would have the very latest updates. I think you would have to do an update after installing.
|
|
| Back to top |
|
|
|
|
Forum FAQ
Search
Usergroups
Profile
Login to check your private messages
Login
