Sign in to follow this  
Followers 0
jlieb

Events are not being triggered after adding this add-on

3 posts in this topic

Morpheus,

 

After adding the PulledPork add-on events have stopped. I went back thru my snort conf file following the update tutorial and the only discrepancies I found had to do with the preproc_rule paths.  In the update tutorial, the rules are turned on, in the PulledPork tutorial, they are turned off.  Once I turned them back on, events started spooling to the unified2 file consistently.  Which is the correct configuration?  

Share this post


Link to post
Share on other sites

Here is the original Windows Intrusion Detection Systems configuration for the 'PREPROC' rules.

 

Original Line(s):
# include $PREPROC_RULE_PATH/preprocessor.rules
# include $PREPROC_RULE_PATH/decoder.rules
# include $PREPROC_RULE_PATH/sensitive-data.rules

Change to:
include $PREPROC_RULE_PATH/preprocessor.rules
include $PREPROC_RULE_PATH/decoder.rules
include $PREPROC_RULE_PATH/sensitive-data.rules

 

 

Here are the changes for the PulledPork add-on

 

Original Line(s):
include $PREPROC_RULE_PATH/preprocessor.rules
include $PREPROC_RULE_PATH/decoder.rules
include $PREPROC_RULE_PATH/sensitive-data.rules

Change to:
# include $PREPROC_RULE_PATH/preprocessor.rules
# include $PREPROC_RULE_PATH/decoder.rules
# include $PREPROC_RULE_PATH/sensitive-data.rules

 

After you made the changes are the three rule sets listed below actually located in the 'd:winidssnortrules' folder?

  1. preprocessor.rules
  2. decoder.rules
  3. sensitive-data.rules

 

As far as I know all the rules are supposed to be processed into the single .rules file (winids.rules). Something may have changed, or I'm not fully understanding how PulledPork works.

 

Let me query the group on this. I've never seen this problem before.

Share this post


Link to post
Share on other sites

Ok, so I checked my winsnort.rules files. The winids.rules file does contains all three rule sets: 

  1. preprocessor.rules
  2. decoder.rules
  3. sensitive-data.rules

 

Open the winids.rules file in a text editor (notepad+) and all the rules are categorized.

 

preprocessor.rules -> # ----- Begin VRT-preprocessor Rules Category ----- #

 

decoder.rules -> # ----- Begin VRT-decoder Rules Category ----- #

 

sensitive-data.rules -> # ----- Begin VRT-sensitive-data Rules Category ----- #

 

As an example open the preprocessor.rules file and there are 500 rules listed (fictional count). Out of those 500 rules there may be 50 disabled (# is disabled). After PulledPork processes, open the winids.rules file and search for the category labeled # ----- Begin VRT-preprocessor Rules Category ----- #. Under that category, all 500 (fictional count) rules should be listed and match exactly what rules are found in the preprocessor.rules file.

 

Out of the 500 rules (fictional count) listed under the # ----- Begin VRT-preprocessor Rules Category ----- # there may be 480 of those rules (fictional count) disabled, and not just 50 that was disabled in the default preprocessor.rules file. PulledPork will adjust the enabled / disabled status of each rule when compiling a new winids.rules file based on the 'ips_policy=' setting in the pulledpork.conf.

 

This is the main reason why your preprocessor rule events have dropped after adding the PulledPork add-on.

 

Note: NEVER, and I repeat NEVER manually alter the winids.rules file. Use the four configuration files listed below to make ALL rule changes.

 

enablesid=d:winidspulledporketcenablesid.conf
dropsid=d:winidspulledporketcdropsid.conf
disablesid=d:winidspulledporketcdisablesid.conf
modifysid=d:winidspulledporketcmodifysid.conf

 

As an example; lets say there was a previous rule that was being triggered prior to updating to PulledPork. To enable that rule, add that rules SID to the enablesid.conf file.

 

As an example; lets say there is a specific event being triggered regarding Internet Information Services. Your enterprise site does not run Internet Information Services, and you don't want to see that event in the Windows Intrusion Detection Systems security console. To disable that rule, add that rules SID to the disablesid.conf file.

 

By adding the rules sid to the enablesid.conf file, or the disablesid.conf file, the rule will continue to be enabled, or disabled in the winids.rules file. However, when Snort starts it first reads in the original winids.rules file. It then reads in the enablesid.conf file, the disabledsid.conf , and then enables or disables rules based on what Snort finds in each of those .conf files.

 

PulledPork compiles a basic winids.rules file. The four configuration files listed above are used for rule customizing. Never touch the winids.rules file.

 

Winsnort gives the basic starting point, but for more advanced help, the PulledPork users group is the next step.
 

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0