Pulled Pork configs
Pulled Pork, the rule fetching, processing, and updating script from Sourcefire used by Security Onion has the ability to enable, disable, or make arbitrary modifications to downloaded rules. This behaviour is configured in pulledpork.conf and detailed in the modifysid configuration files which all share a configuration format:
The powerful and flexible syntax used in these files is explained in the documentation block in the upstream files. A few snippets of examples from there will illustrate. Using string and regular expression matching we can modify signatures by keyword and category as well as by SID:
# Comments are allowed in this file, and can also be on the same line # As the modify state syntax, as long as it is a trailing comment # 1:1011 # I Disabled this rule because I could!
# The following example modifies state for all MS07 through MS10 # pcre:MS(07-9|10)-\d+
# Example of modifying state for specific categories entirely (see README.CATEGORIES) # VRT-web-iis,ET-shellcode,ET-emergingthreats-smtp,Custom-shellcode,Custom-emergingthreats-smtp
Black, then White
With the flexibility available we can do intelligent rule management of thousands of rules coming from various sources. This allows us to apply some intelligence to rule management using multiple rounds modification to implement blacklist and whitelisting. First, check the order that Pulled Pork is executing your configs in:
# The following option, state_order, allows you to more finely control the order # that pulledpork performs the modify operations, specifically the enablesid # disablesid and dropsid functions. An example use case here would be to # disable an entire category and later enable only a rule or two out of it. # the valid values are disable, drop, and enable. # state_order=disable,drop,enable
Uncomment this line in pulledpork.conf to enable the feature. On the next run of pp, such as via SO's rule-update the rule processing will run through each of the modify sid conifguration files in order, allowing us to disable VRT or ET categories by name using string or regular expression matches in disablesid.conf and then enable specific rules in enablesid.conf. This gives us maximum precision while easily managing thousands of rules from multiple sources including those we compose locally. For example you can broadly disable rules for operating systems and applications not present in your network but enable a specific rule for a file format you do see.
Once you have completed an IDS Policy Review you'll be able to implement changes to vastly decrease the volume of rules you are running on your sensors without an increase in configuration complexity. You will reduce alert volume and false positives by eliminating less applicable signature rules, will improve sensor performance, and get increased fidelity and utility in your IDS alerts.
The Practice of network Security Monitoring by Richard Bejtlich http://nostarch.com/nsm/
Security Onion home, http://securityonion.blogspot.com/
Pulled pork source code, on Google Code:
Emerging Threats FAQ, "What is the general intent of each category?"