Snort mailing list archives
Re: (no subject)
From: Jason Wallace <jason.r.wallace () gmail com>
Date: Thu, 3 Mar 2011 08:06:45 -0500
I'm not positive but I believe it enables only the ones that are actually needed based on what is actually needed. Meaning if a rule is enabled that uses flowbits:isset,http.quicktime; and the rule(s) that contain flowbits:set,http.quicktime; are disabled then it will enable that/those rules. I do not think it enables every flowbits:set rule. On Wed, Mar 2, 2011 at 9:42 PM, waldo kitty <wkitty42 () windstream net> wrote:
On 3/1/2011 16:36, Alan Ptak wrote:And the obligatory follow-up and shameless promotion for pulledpork (http://code.google.com/p/pulledpork/) follows: If you use pulledpork (http://code.google.com/p/pulledpork/) to manage your snort rules, it will automatically enable the rules needed to set any flowbits needed.shouldn't this be selectable somehow? perhaps the flowbits setting rules were deactivated by the publisher for some special reason and one may not want all of them enabled... for instance, i record some ~12 flowbits setting rules /still/ deactivated in the 2.8.6.1 ruleset... while i may not want all of them activated, i may desire only a couple of them... so, two questions... 1. why are the rules that use these flowbits not also commented out in the 2.8.6.1 ruleset? it has been "a month or two" since the situation was brought up... yes, this question is actually for the VRT folks... 2. how can/does PP handle the possibility of enabling only one or two of the flowbits setting rules if not all of them are desired to be enabled? ------------------------------------------------------------------------------ Free Software Download: Index, Search & Analyze Logs and other IT data in Real-Time with Splunk. Collect, index and harness all the fast moving IT data generated by your applications, servers and devices whether physical, virtual or in the cloud. Deliver compliance at lower cost and gain new business insights. http://p.sf.net/sfu/splunk-dev2dev _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------------------------------ Free Software Download: Index, Search & Analyze Logs and other IT data in Real-Time with Splunk. Collect, index and harness all the fast moving IT data generated by your applications, servers and devices whether physical, virtual or in the cloud. Deliver compliance at lower cost and gain new business insights. http://p.sf.net/sfu/splunk-dev2dev _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- (no subject) sasa susmanto (Mar 01)
- Re: (no subject) Joel Esler (Mar 01)
- Re: (no subject) Alan Ptak (Mar 02)
- Re: (no subject) waldo kitty (Mar 02)
- Re: (no subject) Jason Wallace (Mar 03)
- Re: (no subject) Jefferson, Shawn (Mar 03)
- Re: (no subject) JJC (Mar 03)
- Re: (no subject) Jefferson, Shawn (Mar 03)
- Re: (no subject) Dave Venman (Mar 03)
- Re: (no subject) Joel Esler (Mar 04)
- Re: (no subject) Alan Ptak (Mar 02)
- Re: (no subject) Joel Esler (Mar 01)
- <Possible follow-ups>
- (no subject) sasa susmanto (Mar 02)
- Re: (no subject) Alan Ptak (Mar 02)