jlieb Posted August 18, 2014 Report Posted August 18, 2014 Morpheus, After adding the PulledPork add-on events have stopped. I went back thru my snort conf file following the update tutorial and the only discrepancies I found had to do with the preproc_rule paths. In the update tutorial, the rules are turned on, in the PulledPork tutorial, they are turned off. Once I turned them back on, events started spooling to the unified2 file consistently. Which is the correct configuration? Quote
Morpheus Posted August 18, 2014 Report Posted August 18, 2014 Here is the original Windows Intrusion Detection Systems configuration for the 'PREPROC' rules. Original Line(s): # include $PREPROC_RULE_PATH/preprocessor.rules # include $PREPROC_RULE_PATH/decoder.rules # include $PREPROC_RULE_PATH/sensitive-data.rules Change to: include $PREPROC_RULE_PATH/preprocessor.rules include $PREPROC_RULE_PATH/decoder.rules include $PREPROC_RULE_PATH/sensitive-data.rules Here are the changes for the PulledPork add-on Original Line(s): include $PREPROC_RULE_PATH/preprocessor.rules include $PREPROC_RULE_PATH/decoder.rules include $PREPROC_RULE_PATH/sensitive-data.rules Change to: # include $PREPROC_RULE_PATH/preprocessor.rules # include $PREPROC_RULE_PATH/decoder.rules # include $PREPROC_RULE_PATH/sensitive-data.rules After you made the changes are the three rule sets listed below actually located in the 'd:winidssnortrules' folder? preprocessor.rules decoder.rules sensitive-data.rules As far as I know all the rules are supposed to be processed into the single .rules file (winids.rules). Something may have changed, or I'm not fully understanding how PulledPork works. Let me query the group on this. I've never seen this problem before. Quote
Morpheus Posted August 19, 2014 Report Posted August 19, 2014 Ok, so I checked my winsnort.rules files. The winids.rules file does contains all three rule sets: preprocessor.rules decoder.rules sensitive-data.rules Open the winids.rules file in a text editor (notepad+) and all the rules are categorized. preprocessor.rules -> # ----- Begin VRT-preprocessor Rules Category ----- # decoder.rules -> # ----- Begin VRT-decoder Rules Category ----- # sensitive-data.rules -> # ----- Begin VRT-sensitive-data Rules Category ----- # As an example open the preprocessor.rules file and there are 500 rules listed (fictional count). Out of those 500 rules there may be 50 disabled (# is disabled). After PulledPork processes, open the winids.rules file and search for the category labeled # ----- Begin VRT-preprocessor Rules Category ----- #. Under that category, all 500 (fictional count) rules should be listed and match exactly what rules are found in the preprocessor.rules file. Out of the 500 rules (fictional count) listed under the # ----- Begin VRT-preprocessor Rules Category ----- # there may be 480 of those rules (fictional count) disabled, and not just 50 that was disabled in the default preprocessor.rules file. PulledPork will adjust the enabled / disabled status of each rule when compiling a new winids.rules file based on the 'ips_policy=' setting in the pulledpork.conf. This is the main reason why your preprocessor rule events have dropped after adding the PulledPork add-on. Note: NEVER, and I repeat NEVER manually alter the winids.rules file. Use the four configuration files listed below to make ALL rule changes. enablesid=d:winidspulledporketcenablesid.conf dropsid=d:winidspulledporketcdropsid.conf disablesid=d:winidspulledporketcdisablesid.conf modifysid=d:winidspulledporketcmodifysid.conf As an example; lets say there was a previous rule that was being triggered prior to updating to PulledPork. To enable that rule, add that rules SID to the enablesid.conf file. As an example; lets say there is a specific event being triggered regarding Internet Information Services. Your enterprise site does not run Internet Information Services, and you don't want to see that event in the Windows Intrusion Detection Systems security console. To disable that rule, add that rules SID to the disablesid.conf file. By adding the rules sid to the enablesid.conf file, or the disablesid.conf file, the rule will continue to be enabled, or disabled in the winids.rules file. However, when Snort starts it first reads in the original winids.rules file. It then reads in the enablesid.conf file, the disabledsid.conf , and then enables or disables rules based on what Snort finds in each of those .conf files. PulledPork compiles a basic winids.rules file. The four configuration files listed above are used for rule customizing. Never touch the winids.rules file. Winsnort gives the basic starting point, but for more advanced help, the PulledPork users group is the next step. Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.