Re: VRT rules policy question

[wkitty42 () windstream net]

On 04/04/2017 03:52 PM, Stanford Prescott wrote:
> Maybe if it is felt that the ET rules need to be disabled, it would be better
> to just remove the includes for the ET rules (comment them out) in the
> snort.conf file instead of disabling each separate alert in each ET rules
> file. That would make it somewhat easier for the user to re-enable the ET
> rules files than having to uncomment each separate alert in the ET rules
> files.


it would also make it faster for the updates as well as retaining the existing 
enabled/disabled rules in the ET files... if PP is marking each individual ET 
rule as disabled, that loses the existing configuration and it will be very hard 
for the user to return to using the ET rules in at least their default as 
distributed condition...


-- 
  NOTE: No off-list assistance is given without prior approval.
        *Please keep mailing list traffic on the list* unless
        private contact is specifically requested and granted.

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!