Re: thinning out the rules

[JJC <cummingsj () gmail com>]

Depending on your needs, there are a number of tools that can
accomplish what you want. Pulledpork being the most feature rich of
these.  In this case, simply adding pcre:netware to the
disablesid.conf will disable all rules that contain the string
"netware".  The benefit of using PP would be simple process
repeatability and full ruleset/type support (shared objects,
preprocessor rules, etc)

JJC

On Thursday, January 20, 2011, Edward Fjellskål
<edwardfjellskaal () gmail com> wrote:
> For what its worth, I recently wrote a bit different rule management
> tool that I use personally.
> Blogged about it here: http://www.gamelinux.org/?p=240
>
> Suppose the msg: field of the rule contains netware and thats relevant for
> what you are looking for, I would do:
>
> ./polman -i <mysensor> -s "netware"
>
> that displays me a total of 321 rules, 99% or so are in "deleted" and
> not enabled by default.
> (my db holds vrt + et rules)
>
> I use my own tool with great luck and lots of joy. Read the blog for more info.
> This might not be the answer you are looking for, but maybe it gives
> you some ideas.
>
> I also wrote a small bash script that I used together with oinkmaster:
> https://github.com/gamelinux/sidrule
> It basically uses 'sed' to alter the state of the rules in the rulefiles, then I
> used disablesid.pl or something to make a persistant file to feed to oinkmaster
> so it would remember what I did or someht
>
>
> On Thu, Jan 20, 2011 at 3:20 PM, Michael Lubinski
> <michael.lubinski () gmail com> wrote:
> > Rather than go through each .txt file for each rule is there a better way to
> > thin out the rules that don't apply to the network its on.
> > e.g, netware is not running on the network. How can i find and disable all
> > netware alerts.
> >
> > ------------------------------------------------------------------------------
> > Protect Your Site and Customers from Malware Attacks
> > Learn about various malware tactics and how to avoid them. Understand
> > malware threats, the impact they can have on your business, and how you
> > can protect your company and customers by using code signing.
> > http://p.sf.net/sfu/oracle-sfdevnl
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users () lists sourceforge net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
>
>
> --
> Edward Bjarte Fjellskål
> Senior Security Analyst
> http://www.gamelinux.org/
>
> ------------------------------------------------------------------------------
> Protect Your Site and Customers from Malware Attacks
> Learn about various malware tactics and how to avoid them. Understand
> malware threats, the impact they can have on your business, and how you
> can protect your company and customers by using code signing.
> http://p.sf.net/sfu/oracle-sfdevnl
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

------------------------------------------------------------------------------
Protect Your Site and Customers from Malware Attacks
Learn about various malware tactics and how to avoid them. Understand 
malware threats, the impact they can have on your business, and how you 
can protect your company and customers by using code signing.
http://p.sf.net/sfu/oracle-sfdevnl
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users