1 2 3 Previous Next 23 Replies Latest reply on Jun 7, 2017 5:58 AM by ahmed.sabanaa

    Snort Rule creation

    ahmed.sabanaa

      Dears ,

      i have created new snort rules , but the rules doesn't appeared on the IPS Policy Signature List .

      Please any Idea ?

        • 1. Re: Snort Rule creation
          catdaddy

          Discussion successfully moved from Community Support to Network Security Platform (NSP, NIPS, NAC, NTBA)

          For better Assistance and better exposure.

          • 2. Re: Snort Rule creation
            d_aloy

            Hi Ahmed

             

            Have you checked the attack compilation settings on the device tab?

             

            From the IPS guide:

             

            Configuration of attack compilation

            The Attack Compilation page enables you to specify the type of attack definitions to be included in the IPS

            Policies for a specific Sensor.

            To access the Attack Compilation page:

            1 Click the Devices tab.

            2 Select the domain from the Domain drop-down list.

            3 On the left pane, click the Devices tab.

            4 Select the device from the Device drop-down list.

            5 Select Troubleshooting | Attack Compilation.

            You can select the following types of attack definitions for the Sensor:

            • Default McAfee Attacks (from the Signature Set)

            • Custom Attacks–McAfee Format — These are the McAfee Custom Attacks that you defined or received

            from McAfee.

            • Custom Attacks–Imported Snort Rules — These are the Snort Custom Attacks that you imported into or created in the Manage

             

            Regards

            David

            1 of 1 people found this helpful
            • 3. Re: Snort Rule creation
              ahmed.sabanaa

              Hi ,

              thanks for your reply , but the three types are already selected , but same result .

              • 4. Re: Snort Rule creation
                d_aloy

                Hi Ahmed,

                 

                Is the snort rule 'included' on the custom attack editor?

                If it shows as included, what priority have you given it?

                Does it show on the Default IPS policy?

                 

                Regards

                David

                • 5. Re: Snort Rule creation
                  ahmed.sabanaa

                  custom attacks .JPG

                  Is the snort rule 'included' on the custom attack editor?yes it is as above .

                  If it shows as included, what priority have you given it? what is the priority?

                  Does it show on the Default IPS policy?no it doesn't

                  1 of 1 people found this helpful
                  • 6. Re: Snort Rule creation
                    d_aloy

                    Hi Ahmed

                     

                    What's the NSM version you use?

                    Are the SNORT rules showing under the Master Attack Repository policy?

                     

                    Regards

                    David

                    • 7. Re: Snort Rule creation
                      ahmed.sabanaa

                      Dear David ,

                       

                      no its not a, and the NSM version is 8.3.7.52 its only appeared on the Custom attack snort rule editor .

                      • 8. Re: Snort Rule creation
                        d_aloy

                        Interesting...

                         

                        Priority sets the severity on SNORT rules. Could you share a couple of your rules please?

                        • 9. Re: Snort Rule creation
                          ahmed.sabanaa

                          hi ,

                          kindly find the below , thanks in advance :

                           

                           

                          alert udp any any -> any 53 (msg:"High NULL requests - Potential DNS Tunneling"; content:"|01 00|"; offset:2; within :4; content:"|00 00 0a 00 01|"; offset:12; within:255; threshold: type threshold, track by_src, count 10, seconds 5; sid: 5700001; rev: 1)

                           

                           

                          alert udp any any -> any 53 (msg:"High CNAME requests - Potential DNS Tunneling"; content:"|01 00|"; offset:2; within :4; content:"|00 00 05 00 01|"; offset:12; within:255; threshold: type threshold, track by_src, count 10, seconds 5; sid: 5700003; rev: 1)

                          1 2 3 Previous Next