Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Rule Management with two separate rulesets

From: waldo kitty <wkitty42 () windstream net>
Date: Wed, 17 Jul 2013 12:49:20 -0400
On 7/16/2013 23:08, Steven McLaughlin wrote:

Hi All,

I am looking at testing emerging threats ruleset alongside snort rules. As far
as directory structures are concerned is it best to have the rules in separate
directories and run two separate instances of pulledpork? Or better to have both
rule sets all in the one directory?

The overlap could get complicated here with rule updates and snort conf files etc..

Is anyone else doing this? If so any advice?


we run both sets here... not testing...

we do not (yet) use pulledpork...

we have all the rules files in one directory...

each is differentiated by their name...
   blah.rules from VRT (kinda wish they'd put VRT-blah.rules)...
   emerging-blah.rules from ET...

we have all rules named in snort.conf so that we can manage them by "category" 
(ie: filename)... in this way, we can enable or disable an entire category with 
one edit to (un)comment one filename...

having the rulea all in one directory also allows for easier management of 
sid-msg.map because the generator for that file can simply run thru all files in 
the one rules directory...

we have no problem with rules updates... we (currently) pull VRT rules once a 
week and ET rules once a day...


-- 
NOTE: No off-list assistance is given without prior approval.
       Please keep mailing list traffic on the list unless
       private contact is specifically requested and granted.

------------------------------------------------------------------------------
See everything from the browser to the database with AppDynamics
Get end-to-end visibility with application monitoring from AppDynamics
Isolate bottlenecks and diagnose root cause in seconds.
Start your free trial of AppDynamics Pro today!
http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: