Snort mailing list archives
Re: pulled pork
From: NA <dustypath () comcast net>
Date: Sat, 05 Mar 2011 12:47:11 -0800
Hello, I am trying to get started on enabling/disabling rules via PulledPork but need more info. First off, the question asked about commenting out rules files in snort.conf is irrelevant with PulledPork? It was not answered. Second, if I wish to say, allow Skype on the network (inline deployment) do I use the rule number to allow Skype in PulledPork or comment it out in p2p.rules, enabled or not in snort.conf? Or just use p2p.rules to get the rule number to put in dropsid.conf. The latter seems to make the most sense, per this section of the file: Example of modifying state for individual rules # 1:1034,1:9837,1:1270,1:3390,1:710,1:1249,3:13010 Thanks Bill B
looks correct, if PP reports no file change then the md5 file is not actually changing, I would manually download the rules tarball that you are talking about and compare to the md5 that ET publishes.. if they are different then we need to talk to the ET folks about making sure that the md5 file is updated with the file. On Sat, Mar 5, 2011 at 4:48 AM, Michael Lubinski <michael.lubinski () gmail com <mailto:michael.lubinski () gmail com>> wrote: The pulledpork also always says that nothing has changed even though I know the sigs are changing daily for the ET ruleset. My rule URL is rule_url=http://rules.emergingthreats.net/|emerging.rules.tar.gz|open-nogpl <http://rules.emergingthreats.net/%7Cemerging.rules.tar.gz%7Copen-nogpl> Is this incorrect syntax? On Fri, Mar 4, 2011 at 11:28 PM, Jason Wallace <jason.r.wallace () gmail com <mailto:jason.r.wallace () gmail com>> wrote: Michael, In the pulledpork.conf file there is a section near the beginning of the file where you can add a list of rule file names to ignore. Thx, Wally On Mar 4, 2011 11:04 PM, "Michael Lubinski" <michael.lubinski () gmail com <mailto:michael.lubinski () gmail com>> wrote: > If I am not mistaken pulled pork combines the rules into a snort.rules file > so the rest of the rules for snort should be commented out except for > snort.rules. > > If that is correct I have another question, the block rules from ET are > contained within that snort.rules, i get an unknown rule option for fwsam > which I am not running. What option do I have to modify in pulledpork.conf > to have it not bull these block rules down? ------------------------------------------------------------------------------ What You Don't Know About Data Connectivity CAN Hurt You This paper provides an overview of data connectivity, details its effect on application quality, and explores various alternative solutions. http://p.sf.net/sfu/progress-d2d _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net <mailto:Snort-users () lists sourceforge net> Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users ------------------------------------------------------------------------------ What You Don't Know About Data Connectivity CAN Hurt You This paper provides an overview of data connectivity, details its effect on application quality, and explores various alternative solutions. http://p.sf.net/sfu/progress-d2d _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------------------------------ What You Don't Know About Data Connectivity CAN Hurt You This paper provides an overview of data connectivity, details its effect on application quality, and explores various alternative solutions. http://p.sf.net/sfu/progress-d2d _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- pulled pork Michael Lubinski (Feb 03)
- Re: pulled pork Joel Esler (Feb 04)
- <Possible follow-ups>
- pulled pork Michael Lubinski (Mar 04)
- Re: pulled pork Jason Wallace (Mar 04)
- Re: pulled pork Michael Lubinski (Mar 05)
- Re: pulled pork JJC (Mar 05)
- Re: pulled pork NA (Mar 05)
- Re: pulled pork Jason Wallace (Mar 04)