The detail rule explain and documentation

jackson.ku · ‎06-02-2015

Hi,

Please help to mention me where can I fine the detail rule explain and documentation?

Best Regards,

Jackson

hasanul.kabir · ‎06-13-2015

Me also need documents badly

atatistc · ‎06-22-2015

There are several ways to find the rule documentation. You will find some rules documented better than others. This is the only source, there is no other secret repository of detailed rule documentation available.

- Go to www.snort.org. Sign in. If you know the rule SID type it in the search box. You can also type search terms in here like "poodle"

- From the FireSIGHT System analysis view (Analysis -> Intrusion Events) right-click on the blue drill down arrow at the far left of an event and select Rule Documentation

- After drilling down to the packet view expand the Actions section and click the View Documentation link

- Navigate to the rule in any of the IPS policies, click the rule and then the Details button at the bottom

There are doubtless other ways but these are a few.

jackson.ku · ‎06-22-2015

Hi,

Thanks for your help. But I cannot find some rule document ether from www.snort.org or FireSIGHT system...

Best Regards,

Jackson Ku

atatistc · ‎06-22-2015

What rule?

jackson.ku · ‎06-22-2015

Hi,

One of rule without document is "PUA-ADWARE Lucky Leap Adware outbound connection (1:30260)"

I searched www.snort.org but not found the document for this rule. In FireSight, it also no document found, and only provide an external reference url ( virustotal )

Best Regards,

Jackson Ku

atatistc · ‎06-23-2015

That is all the documentation available for that rule. You will find that many if not all of the Adware, spyware, malware rules have little to no documentation. It stems from the fact that writers of adware, spyware and malware don't document their "products." Often times Google is your friend when you want more information about a specific threat but even then sometimes you will find very little information.