Re: Pulled Pork Not Enableing ET Rules

[JJC <cummingsj () gmail com>]

Actually, the default behavior should be to leave the rules in the state
that they were in in the original source files.  Of course if you specify a
security policy base (Security, Balanced, Connectivity) then it will modify
the rulestate based on the metadata.

JJC

On Fri, May 20, 2011 at 1:41 PM, Eoin Miller <
eoin.miller () trojanedbinaries com> wrote:

>  On 5/20/2011 7:06 PM, Gibson, Nathan J. (HSC) wrote:
>
>
>
> I need some help. I noticed recently that PP is not enabling my ET rule
> sets and for the life of me I can figure out why.  Config details are below.
> PP verbose output attached and rules file attached.
>
>
>
>  enablesid.conf and disablesid.conf have documentation in the files
> themselves that is pretty straight forward. Also, you don't want to be
> enabling all the rules in the ET ruleset in those files. They have several
> disabled by default rules for a reason. pulledpork will enable all the rules
> files that it downloads by default, so you should only disable which files
> you do not want inside of the pulledpork.conf's ignore option.
>
> example from my pulledpork.conf:
> ---snip---
>
> ignore=emerging-botcc-BLOCK.rules,emerging-chat.rules,emerging-compromised-BLOCK.rules,emerging-deleted.rules,emerging-drop.rules,emerging-drop-BLOCK.rules,emerging-dshield.rules,emerging-dshield-BLOCK.rules,emerging-games.rules,emerging-icmp.rules,emerging-icmp_info.rules,emerging-rbn-BLOCK.rules,emerging-shellcode.rules,emerging-tor-BLOCK.rules,deleted.rules,experimental.rules,icmp.rules,icmp-info.rules,info.rules,shellcode.rules,local.rules,decoder.preproc,preprocessor.preproc,sensitive-data.preproc
> ---snip---
>
> Just put what you want to omit into the ignore list, otherwise the default
> behavior is to enable the rule.
>
> -- Eoin
>
>
>
> ------------------------------------------------------------------------------
> What Every C/C++ and Fortran developer Should Know!
> Read this article and learn how Intel has extended the reach of its
> next-generation tools to help Windows* and Linux* C/C++ and Fortran
> developers boost performance applications - including clusters.
> http://p.sf.net/sfu/intel-dev2devmay
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------------------------------
What Every C/C++ and Fortran developer Should Know!
Read this article and learn how Intel has extended the reach of its 
next-generation tools to help Windows* and Linux* C/C++ and Fortran 
developers boost performance applications - including clusters. 
http://p.sf.net/sfu/intel-dev2devmay

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users