Snort mailing list archives

Re: Default rule set

From: waldo kitty <wkitty42 () windstream net>
Date: Sat, 17 May 2014 10:47:11 -0400

On 5/17/2014 6:43 AM, Y M wrote:

 > ummm... does this "security", "balanced", "connectivity" stuff pertain to the ET
 > (EmergingThreats) rules sets?? ;)

I don't think ET ruleset has these policies.


exactly, thanks for confirming this, YM... it is especially important since the 
OP's original question mentioned ET rules...

In the VRT ruleset, these are represented through the "metadata" tag with
options of "policy connectivity-ips", "policy balanced-ips", "policy
security-ips", and the most recent one "ruleset community". PulledPork use
these along with the "-I <policy>" to determine what rules to enable.


yes, this confirms the method with which the policy is determined... it is also 
helpful for those who don't know or understand it...

During early tests, running PulledPork against both VRT and ET with a policy
specified, did not enable any ET rule. Two options to overcome this:
1. Add ET sids/categories into enablesid.conf, and PulledPork will enable them
regardless of policy specified, or (better)
2. Since PulledPork now processes modifysid.conf first (before enablesid.conf),
add pcre to modify ET rules to include the desired policy and PulledPork should
pick it up from there. I will need to re-test this one though.


ahh, very nice... i'm glad to see the PP has come such a long way in the short 
time it has been available... excellent work by the maintainer! ;)

-- 
  NOTE: No off-list assistance is given without prior approval.
        Please *keep mailing list traffic on the list* unless
        private contact is specifically requested and granted.

------------------------------------------------------------------------------
"Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE
Instantly run your Selenium tests across 300+ browser/OS combos.
Get unparalleled scalability from the best Selenium testing platform available
Simple to use. Nothing to install. Get started now for free."
http://p.sf.net/sfu/SauceLabs
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Current thread:

Default rule set Sallee, Jake (May 16)
- Re: Default rule set James Lay (May 16)
- Re: Default rule set Kurzawa, Kevin (May 16)
  - Re: Default rule set Joel Esler (jesler) (May 16)
  - Re: Default rule set waldo kitty (May 16)
    - Re: Default rule set Y M (May 17)
    - Re: Default rule set waldo kitty (May 17)
    - Message not available
    - Message not available
    - Re: Default rule set Sallee, Jake (May 17)
    - Message not available
    - Default rule set Sallee, Jake (May 17)
    - Re: Default rule set Y M (May 18)
    - Re: Default rule set Jefferson, Shawn (May 23)