Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 9 replies
  • Subscribers 2 subscribers
  • Views 3284 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Bleeding Edge Snort

Dave Packham
Astaro 6.1001

It might be nice to be able to add snort rules from a tar.gz file to be able to use something like the beeding edga snorts rules from http://www.bleedingsnort.com/ site...  I would have to add eachone individually


This thread was automatically locked due to age.
Parents
  • 0
    I've likewise been trying to add the bleeding-edge snort rule for the WMF issue and haven't had any luck. As mentioned by others  I aslo find the interface for adding rules to be, shall we say, less than obvious and the help file sheds little light on the subject IMO.

    If someone can point me towards a good explanation of how to add rules it would be most appreciated.

    Also the idea of being able to add rules via some more efficient method than the admin screen would be excellent. May I suggest that all the partners that recently received the survey / feedback request comment on this as allowed.
  • 0 in reply to mike_shafer
    Ok, I am able to load the be-snort rules for WMF into the Astaro as follows:

    Description: WMF part 1
    Selector: tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any
    Filter: flow:established,from_server; flowbits:isnotset,bleeding_wmf_expl; content:"HTTP"; depth:4; nocase; flowbits:set,bleeding_wmf_http; flowbits:noalert;

    Description: WMF part 2
    Selector:  tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any
    Filter: flowbits:isset,bleeding_wmf_http; flowbits:isnotset,bleeding_wmf_expl; content:"|00 09 00 00 03|"; content:"|00 00|"; distance:10; within:12; flowbits:set,bleeding_wmf_expl; flowbits:noalert;

    Description: WMF part 3
    Selector:   tcp $EXTERNAL_NET any -> $HOME_NET any
    Filter: flowbits:isset,bleeding_wmf_expl; pcre:"/\x26[\x00-\xff]\x09\x00/"; classtype:attempted-user; threshold:type limit, track by_src, count 1,seconds 120;


    Everything is loaded fine with snort.  The info on bleeding edge says "flow_depth (of http_inspect_server) has to be set to 0" so I edited /var/chroot-snort/etc/snort/snort.conf-defaults and added "flow_depth 0" to the end of the http_inspect_server line.  this makes it show up as set to 0 in the live log so i think everything should be ok.

    but... now how can i test this?  anyone know of a good way?

    Thanks
Reply
  • 0 in reply to mike_shafer
    Ok, I am able to load the be-snort rules for WMF into the Astaro as follows:

    Description: WMF part 1
    Selector: tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any
    Filter: flow:established,from_server; flowbits:isnotset,bleeding_wmf_expl; content:"HTTP"; depth:4; nocase; flowbits:set,bleeding_wmf_http; flowbits:noalert;

    Description: WMF part 2
    Selector:  tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any
    Filter: flowbits:isset,bleeding_wmf_http; flowbits:isnotset,bleeding_wmf_expl; content:"|00 09 00 00 03|"; content:"|00 00|"; distance:10; within:12; flowbits:set,bleeding_wmf_expl; flowbits:noalert;

    Description: WMF part 3
    Selector:   tcp $EXTERNAL_NET any -> $HOME_NET any
    Filter: flowbits:isset,bleeding_wmf_expl; pcre:"/\x26[\x00-\xff]\x09\x00/"; classtype:attempted-user; threshold:type limit, track by_src, count 1,seconds 120;


    Everything is loaded fine with snort.  The info on bleeding edge says "flow_depth (of http_inspect_server) has to be set to 0" so I edited /var/chroot-snort/etc/snort/snort.conf-defaults and added "flow_depth 0" to the end of the http_inspect_server line.  this makes it show up as set to 0 in the live log so i think everything should be ok.

    but... now how can i test this?  anyone know of a good way?

    Thanks
Children