Re: Fine tuning Snort

[Joel Esler <jesler () sourcefire com>]

The biggest change is that pulledpork manages your rules. All rules are therefore put into one file.  Instead of the 
broken out categories. 

Plus you get the ability to manage your rulesets by the Sourcefire default recommendations. 


Sent from my iPhone

On Oct 9, 2010, at 10:19 AM, James Lay <jlay () slave-tothe-box net> wrote:

> Thanks Shawn....I suspect I will have to go to Pulled Pork at some
> time...I hope it's not too much of a hassle ;)
>
> James
>
> On 10/8/10 10:02 AM, "Jefferson, Shawn" <Shawn.Jefferson () bcferries com>
> wrote:
>
> > PulledPork has this functionality built in.. you can disable rules based
> > on a PCRE.  I don't run McAfee VirusScan for instance, so I can disable
> > all current and all future rules for it.  Also, it's currently being
> > developed, unlike Oinkmaster.
> >
> >
> > -----Original Message-----
> > From: Josh Little [mailto:josh () zombietango com]
> > Sent: Friday, October 08, 2010 6:09 AM
> > To: snort-users () lists sourceforge net
> > Subject: Re: [Snort-users] Fine tuning Snort
> >
> > I have a small tool written in Perl called Pigsty that will automate
> > finding any sigs in your enabled ruleset that match a pattern. The tool
> > will output a list of disablesid lines that you can then drop into your
> > oinkmaster.conf file or have the tool directly append the file. This
> > makes cleaning up your current rules much easier. You could probably
> > modify the oinkmaster perl script to run Pigsty just after the latests
> > sigs are downloaded and before the routine for commenting out disabled
> > sids completes.
> >
> > Find it at http://zombietango.com/blog/tools/
> >
> > ZT
> >
> >
> > --------------------------------------------------------------------------
> > ----
> > Beautiful is writing same markup. Internet Explorer 9 supports
> > standards for HTML5, CSS3, SVG 1.1,  ECMAScript5, and DOM L2 & L3.
> > Spend less time writing and  rewriting code and more time creating great
> > experiences on the web. Be a part of the beta today.
> > http://p.sf.net/sfu/beautyoftheweb
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users () lists sourceforge net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
>
>
> ------------------------------------------------------------------------------
> Beautiful is writing same markup. Internet Explorer 9 supports
> standards for HTML5, CSS3, SVG 1.1,  ECMAScript5, and DOM L2 & L3.
> Spend less time writing and  rewriting code and more time creating great
> experiences on the web. Be a part of the beta today.
> http://p.sf.net/sfu/beautyoftheweb
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

------------------------------------------------------------------------------
Beautiful is writing same markup. Internet Explorer 9 supports
standards for HTML5, CSS3, SVG 1.1,  ECMAScript5, and DOM L2 & L3.
Spend less time writing and  rewriting code and more time creating great
experiences on the web. Be a part of the beta today.
http://p.sf.net/sfu/beautyoftheweb
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users