Rules tuning categories

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
14 messages Options
Reply | Threaded
Open this post in threaded view
|

Rules tuning categories

user8446
Administrator
This post was updated on .
updated

If you don't have a certain device or application, you should not be running the rules for them. Here are a few that I have gone through. Just add them to your exclude rules list. Feel free to verify these and add other categories for others.

SymbOS
2012782
2012783
2012784
2012844
2012845
2012846
2012847
2012850
2012851
2012852
2012853
2012854
2012858
2012859
2012861
2012862
2012863
2012864
2012904
2013140
2013141
2013142
2013143
2013261
2013265
2013266
2017477
2017572



iOS
2014406
2019174
2019175
2019331
2019332
2019333
2019334
2020363
2020364
2021737
2021738
2021900
2021901
2019664

Drupal
2019422
2019423
2019424
2019425
2019426
2019427
2019428
2019429
2019430
2019431
2019432
2019433
2019434
2019435
2019436
2019437
2019438
2019439
2019440
2019441
2019442
2019443
2019444
2019445
2019446
2019447
2019448
2019449
2019450
2019451
2019452
2019453
2016098
2016099

D-Link ip cameras
2019801
2019802
2019803

Joomla
2018288
2018289
2022261
2022263
2022268

SMTP
2014827
2014828
2014829
2018314
2018308
2018309
2018310
2018311
2018312
2018490
2018853
2019406
2019407
2019408
2019409
2019410
2019411

iTunes
2018303
2018304
2018305

Silverlight
2017731
2017732
2017848
2017958
2017963
2017995
2017996
2017997
2018226
2018409
2018498
2018955
2018991
2019097
2019099
2019167
2019184
2019623
2019624
2019658
2019668
2019669
2019917
2020317
2020982
2021045
2018161
2018236
2018237
2018298
2018402
2018472
2017810


Blackberry
2013138

Quicktime
2003326
2003327
2007703
2007704
2012806

ScreenOS
2022291

Linksys router
2018136
2003072
2011669
2018156
2018157
2018158
2018159
2018160
2020858
2020879
2018131
2018132
2018155
2022758

Supermicro
2018585
2018586
2018587
2018588

Netgear
2017631
2017632
2017969
2021944
2020859
2020874

Asus
2020862
2020863
2020871

TP-Link
2020856
2020872
2020878
2020880

Fritzbox
2020867
2020868

Belkin
2019686
2020857
2020875

Tenda
2017623
2017624
2020876

Motorola
2020861

D-Link
2017590
2020873
2022518

Experimental
2007646
2003180

WinXP
2003586
2018229

Win98
2014562

POP3
2017546

IMAP
2008063

Telnet

OSX
2021548
2021984
2014596
2014522
2014523
2014524
2014525
2014534
2017525
2019136
2019660
2019661
2019662
2019663
2019665
2019666
2019667
2019740
2019731
2019718
2022598
2022599
2022600
2022601
2022716
2022717
2022718
2022719


Debian
2016716
2016717
2016718
2016719

Ubuntu
2019418

Solaris
2000049
2001780
2003411
2003412
2100571

MySQL
2022579
2022580
2022581
2001988
2015975
2015992
2015995
2015996

Dameware
2022712

Quanta LTE router
2022698
2022699
2022700
2022701

Lastpass
2022989
2022374
2022989

Bank of Oklahoma
2022978
2022979

Dropbox
2022967

Oracle
2002886
2002887
2002888
2010375
2012101
2012085
2012100

IIS
2101487
2101018
2101402
2101046

bind9
2021572
2021573
2021574
2021575

fireeye
2021756
2022554

trendmicro
2003434
2007584

fortigate
2023075

cisco
2000005
2023070
2023071
2023086
2023311
2021785

iphone
2013019
2023240
2023093
2023093
2023094
2023095
2023096
2023097
2023098
2023099
2023100
2023101
2023102
2023103
2023104
2023105
2023106
2023107
2023108
2023109
2023110
2023111
2023112
2023113
2023114
2023115
2023116
2023117
2023118
2023119
2023120
2023121
2023122
2023123
2023124
2023125
2023126
2023127
2023128
2023129
2023130
2023131
2023132
2023133
2023134
2023136
2018042

hikvision
2018343
2018344

visio
2012153
2013322

mac
2019144
2007650
2008955
2012959
2013062
2014638
2014597
2014598


ADSL router
2020487
2020488
2017638


Shuttletech router
2020486

Seagate NAS
2020583

AOL
2015910
2017750
2021322

Yahoo
2015911
2017751
2021323
2021540
2021892


York bank
2015983

Zyxel
2018232

IE
2017131
2016640
2019773
2019774
2019775
2019792
2019793
2019794
2019795
2019796
2019797
2019799
2019806
2019733
2019734
2019735
2021713
2022797
2000514
2016897
2010799
2011472
2011891
2013251
2013252
2014463
2014911
2015711
2015712
2017133
2017129
2017130
2017478
2017479
2017480
2017704
2017705
2017708
2017709
2018147
2019706
2019715
2019730
2019732
2020099
2021709
2022523
2017694

Attack-response
2009146
2009147
2009149
2009244
2009245
2000499
2000500
2000501
2000502
2000503
2000504
2000505
2000506
2000507
2000508
2007715
2007717
2007723
2002809
2002810
2002811
2003464
2003465
2007725
2007726
2009210
2009211
2002034
2003071
2003149
2003150
2015993
2017121
2020506
2020507
2020508
2020509
2020510
2020511
2020512
2020513
2020514
2020515
2020516
2020517
2020518
2020519
2020520
2020521
2020522
2020523
2020524
2020525
2020526
2020527
2020528
2020529
2020530
2020531
2020532
2020533
2020534
2020535
2020536
2020537
2020538
2020539
2020540
2020541
2020542
2020543
2020544
2020545
2020546
2020547
2020548
2020549
2020550
2020551
2020552
2020553
2020554
2101882
2100498
2101008
2101009
2101292
2101200
2100494
2100495
2100497
2101886
2101885
2101883
2101884
2101666
2100493

WinZip
2012052
2012053

Flash
2013065
2013137
2016391
2016784
2018029
2018091
2020895
2015809
2015810

Office
2017409
2017410
2017411
2017671
2017672
2017673
2017674
2017675
2017676
2017677
2017679
2017680
2017681
2017672
2017673
2011478

Bitcoin
2018279

IRC
2017055
2017056
2017057
2017058
2017059
2017318
2017319
2017321
2017322
2017323
2017665
2000345
2000347
2000348
2000350
2000351
2000352
2009172
2003302
2002029
2002030
2011162
2002032
2002384
2002386
2002363
2008123
2008124
2003603
2013225
2013247
2013451
2014439
2016768
2016849
2016949
2017283
2017284
2017285
2017286
2017287
2017288
2017289
2017290
2017291
2017292
2017303
2017395
2017716
2018482
2018483
2018484
2018675
2019326
2019327
2019354
2019471
2019486
2019509
2019921
2020836
2021872
2021873
2021874
2021875
2021876
2021877
2021878
2021879
2021880
2021881
2021882
2021883
2021912
2021913
2021914
2021915
2021916
2022064
2022189
2022190
2022655
2022656

ISAPI
2101242
2011243
2101245
2101244

Dell
2022134





Running in bridge mode, 1.51 SP1 fw
Reply | Threaded
Open this post in threaded view
|

Re: Rules tuning categories

vpkirk
I added some of these to the exclude list, then did a save and apply, but after it finished processing, they were no longer listed.  Is that normal?  I could not find anything in the admin guide on this either.

Thanks.
Reply | Threaded
Open this post in threaded view
|

Re: Rules tuning categories

user8446
Administrator
I noticed that too. Sometimes I had to do it again.
Running in bridge mode, 1.51 SP1 fw
Reply | Threaded
Open this post in threaded view
|

Re: Rules tuning categories

vpkirk
By putting them in one at a time, I got in three rules to the exclude list.  One rule each line.  It won't take a 4th rule however.

Any ideas?  Is there an alternate way to do this?  I do have PuTTY access, but am not at home in this system.
Reply | Threaded
Open this post in threaded view
|

Re: Rules tuning categories

user8446
Administrator
I just copied and pasted them in and that's when I noticed too that sometimes the list wouldn't persist after saving. Obviously a bug in the GUI because I put them in directly like you mentioned and didn't have that problem. The file is /etc/snort/rules/exclude.rules
Running in bridge mode, 1.51 SP1 fw
Reply | Threaded
Open this post in threaded view
|

Re: Rules tuning categories

vpkirk
Thanks, editing it directly worked.  Now they show up in the GUI too, and I did an apply... of course that wiped them all out again.
I put them back in directly and reset the shield.  The file was empty after the Shield rebooted.  So I put them back in, and rebooted, again the file was cleared.

Am I missing something?
Reply | Threaded
Open this post in threaded view
|

Re: Rules tuning categories

Hans
Administrator
/usr/lib/lua/luci/controller/snort.lua and /usr/lib/lua/luci/model/cbi/snort.lua are responsible for how LuCI works with the Services > IPS section.

In the cbi/snort.lua this is the code for exclusion tab:
.....
        --------------------- Exclude Rules Tab ------------------------

        config_file5 = s:taboption("tab_rules", TextValue, "text4", "")
        config_file5.wrap = "off"
        config_file5.rows = 25
        config_file5.rmempty = false

        function config_file5.cfgvalue()
                local uci = require "luci.model.uci".cursor_state()
                file = "/etc/snort/rules/exclude.rules"
                if file then
                        return fs.readfile(file) or ""
                else
                        return ""
                end
        end

        function config_file5.write(self, section, value)
                if value then
                        local uci = require "luci.model.uci".cursor_state()
                        file = "/etc/snort/rules/exclude.rules"
                        fs.writefile(file, value:gsub("\r\n", "\n"))
                        luci.sys.call("/etc/init.d/snort restart")
                end
        end
.....

but the code looks clean and similar to the other codes access when changing the custom rules, threshold config etc.
Using Shield Pro v1, Chaos Calmer, FW 1.51 SP1, Bridge Mode

2nd Shield as Sandbox, Chaos Calmer, FW 1.51 SP1 + hotfixes
Reply | Threaded
Open this post in threaded view
|

Re: Rules tuning categories

stangrunner
Just discovered that this script: /etc/snort/rules/exclude_rules.sh parses the exclude.rules contents against the currently loaded snort.rules file and removes entries.  

#!/bin/bash

EXCLUDE_RULES=/etc/snort/rules/exclude.rules
SNORT_RULES=/etc/snort/rules/snort.rules

# Remove all blank lines
sed -i '/^$/d' $EXCLUDE_RULES

# Remove all non-numeric entries
sed -i '/[^0-9]/d' $EXCLUDE_RULES

while read -r line || [[ -n "$line" ]]; do
        sed -i '/sid:'$line'/d' $SNORT_RULES
done < $EXCLUDE_RULES
Reply | Threaded
Open this post in threaded view
|

Re: Rules tuning categories

ben0a
To make to Webgui accept the list, I just had to remove the hidden trailing spaces after each numbers.
It worked without a problem
Reply | Threaded
Open this post in threaded view
|

Re: Rules tuning categories

vpkirk
Dang, great insight!  That worked for me as well.  Now the entries stick around.
Reply | Threaded
Open this post in threaded view
|

Re: Rules tuning categories

Roadrunnere42
In reply to this post by stangrunner
Hi
just modified the scrip so it removes all blank space from list, seem to work ok,

#!/bin/bash

EXCLUDE_RULES=/etc/snort/rules/exclude.rules
SNORT_RULES=/etc/snort/rules/snort.rules

# Remove all blank lines
sed -i '/^$/d' $EXCLUDE_RULES

# Remove all non-numeric entries
sed -i '/[^0-9]/d' $EXCLUDE_RULES

# Remove all blanks so gui accepts list properly (added by roadrunnere42)
sed -r 's/\s//g' $EXCLUDE_RULES

while read -r line || [[ -n "$line" ]]; do
        sed -i '/sid:'$line'/d' $SNORT_RULES
done < $EXCLUDE_RULES




Hans maybe worth putting into hotfixes

roadrunnere42
Reply | Threaded
Open this post in threaded view
|

Re: Rules tuning categories

user8446
Administrator
Thanks the editor you added is doing what it supposed to do but I just tried it and the GUI still wasn't saving it so there must be a bug somewhere else. Added directly to the file and it saved with no problems.
Running in bridge mode, 1.51 SP1 fw
Reply | Threaded
Open this post in threaded view
|

Re: Rules tuning categories

Ronniem1
In reply to this post by Roadrunnere42
CONTENTS DELETED
The author has deleted this message.
Reply | Threaded
Open this post in threaded view
|

Re: Rules tuning categories

user8446
Administrator
That fix isn't in the hotfix. Just copy and paste it in and you'll be all set.
Running in bridge mode, 1.51 SP1 fw