Snort mailing list archives
Re: open-test.conf
From: Y M <snort () outlook com>
Date: Tue, 27 Nov 2012 23:46:26 +0300
The best way to enable rules (uncomment) and keep track of enabled, disabled, modified, drop sids is to use PulledPork. With PulledPork, you use policy, which PulledPork use to enable rules based on the policy metadata defined in each rule. The policies available are: 1. Connectivity. 2. Balanced. 3. Security. 4. "no policy". Means no policy is defined for a specific rule. The VRT team suggests starting with balanced policy. These have been explained at snort's blog (not VRT blog). Also, in the documentation of PulledPork they are briefly explained. I would also suggest searching these to grasp a better overall understanding. The reason the rules are commented "I guess", and which is a good practice in my opinion, is that each environment you deploy snort in is unique and require understanding of several factors such your network traffic, systems deployed, response methodology, your sensors location in the network and other factors as well. I don't use the open-test.cont file, never did. I use the supplied snort.conf file and apply my customization to it. YM ________________________________ From: k vijay sai prashanth Sent: 11/27/2012 11:27 PM To: <snort-users () lists sourceforge net> Subject: [Snort-users] open-test.conf Someone please tell me the purpose of open-test.conf file. I am clueless as to why VRT team has commented out all the alert rules in the various rules files. How do we manually uncomment so many rules???? Regards, Prashanth
------------------------------------------------------------------------------ Keep yourself connected to Go Parallel: DESIGN Expert tips on starting your parallel project right. http://goparallel.sourceforge.net
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------ Keep yourself connected to Go Parallel: DESIGN Expert tips on starting your parallel project right. http://goparallel.sourceforge.net
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- open-test.conf k vijay sai prashanth (Nov 27)
- <Possible follow-ups>
- Re: open-test.conf Y M (Nov 27)
- Re: open-test.conf Joel Esler (Nov 27)
- Re: open-test.conf waldo kitty (Nov 27)
- Re: open-test.conf JJC (Nov 27)
- Re: open-test.conf Castle, Shane (Nov 27)
- Re: open-test.conf waldo kitty (Nov 27)
- Re: open-test.conf Joel Esler (Nov 27)
- Re: open-test.conf waldo kitty (Nov 28)
- Re: open-test.conf Joel Esler (Nov 28)