Snort mailing list archives
Re: Pulled Pork Not Enableing ET Rules
From: JJC <cummingsj () gmail com>
Date: Fri, 20 May 2011 14:13:49 -0600
Actually, the default behavior should be to leave the rules in the state that they were in in the original source files. Of course if you specify a security policy base (Security, Balanced, Connectivity) then it will modify the rulestate based on the metadata. JJC On Fri, May 20, 2011 at 1:41 PM, Eoin Miller < eoin.miller () trojanedbinaries com> wrote:
On 5/20/2011 7:06 PM, Gibson, Nathan J. (HSC) wrote: I need some help. I noticed recently that PP is not enabling my ET rule sets and for the life of me I can figure out why. Config details are below. PP verbose output attached and rules file attached. enablesid.conf and disablesid.conf have documentation in the files themselves that is pretty straight forward. Also, you don't want to be enabling all the rules in the ET ruleset in those files. They have several disabled by default rules for a reason. pulledpork will enable all the rules files that it downloads by default, so you should only disable which files you do not want inside of the pulledpork.conf's ignore option. example from my pulledpork.conf: ---snip--- ignore=emerging-botcc-BLOCK.rules,emerging-chat.rules,emerging-compromised-BLOCK.rules,emerging-deleted.rules,emerging-drop.rules,emerging-drop-BLOCK.rules,emerging-dshield.rules,emerging-dshield-BLOCK.rules,emerging-games.rules,emerging-icmp.rules,emerging-icmp_info.rules,emerging-rbn-BLOCK.rules,emerging-shellcode.rules,emerging-tor-BLOCK.rules,deleted.rules,experimental.rules,icmp.rules,icmp-info.rules,info.rules,shellcode.rules,local.rules,decoder.preproc,preprocessor.preproc,sensitive-data.preproc ---snip--- Just put what you want to omit into the ignore list, otherwise the default behavior is to enable the rule. -- Eoin ------------------------------------------------------------------------------ What Every C/C++ and Fortran developer Should Know! Read this article and learn how Intel has extended the reach of its next-generation tools to help Windows* and Linux* C/C++ and Fortran developers boost performance applications - including clusters. http://p.sf.net/sfu/intel-dev2devmay _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------------------------------ What Every C/C++ and Fortran developer Should Know! Read this article and learn how Intel has extended the reach of its next-generation tools to help Windows* and Linux* C/C++ and Fortran developers boost performance applications - including clusters. http://p.sf.net/sfu/intel-dev2devmay
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Pulled Pork Not Enableing ET Rules Gibson, Nathan J. (HSC) (May 20)
- Pulled Pork Not Enableing ET Rules Gibson, Nathan J. (HSC) (May 20)
- Re: Pulled Pork Not Enableing ET Rules Eoin Miller (May 20)
- Re: Pulled Pork Not Enableing ET Rules JJC (May 20)
- Re: Pulled Pork Not Enableing ET Rules Eoin Miller (May 20)
- Re: Pulled Pork Not Enableing ET Rules Gibson, Nathan J. (HSC) (May 20)
- Re: Pulled Pork Not Enableing ET Rules Gibson, Nathan J. (HSC) (May 20)
- Re: Pulled Pork Not Enableing ET Rules Gibson, Nathan J. (HSC) (May 20)
- Re: Pulled Pork Not Enableing ET Rules Eoin Miller (May 20)
- Pulled Pork Not Enableing ET Rules Gibson, Nathan J. (HSC) (May 20)