Snort mailing list archives
Re: Rule Management with two separate rulesets
From: waldo kitty <wkitty42 () windstream net>
Date: Wed, 17 Jul 2013 12:49:20 -0400
On 7/16/2013 23:08, Steven McLaughlin wrote:
Hi All, I am looking at testing emerging threats ruleset alongside snort rules. As far as directory structures are concerned is it best to have the rules in separate directories and run two separate instances of pulledpork? Or better to have both rule sets all in the one directory? The overlap could get complicated here with rule updates and snort conf files etc.. Is anyone else doing this? If so any advice?
we run both sets here... not testing... we do not (yet) use pulledpork... we have all the rules files in one directory... each is differentiated by their name... blah.rules from VRT (kinda wish they'd put VRT-blah.rules)... emerging-blah.rules from ET... we have all rules named in snort.conf so that we can manage them by "category" (ie: filename)... in this way, we can enable or disable an entire category with one edit to (un)comment one filename... having the rulea all in one directory also allows for easier management of sid-msg.map because the generator for that file can simply run thru all files in the one rules directory... we have no problem with rules updates... we (currently) pull VRT rules once a week and ET rules once a day... -- NOTE: No off-list assistance is given without prior approval. Please keep mailing list traffic on the list unless private contact is specifically requested and granted. ------------------------------------------------------------------------------ See everything from the browser to the database with AppDynamics Get end-to-end visibility with application monitoring from AppDynamics Isolate bottlenecks and diagnose root cause in seconds. Start your free trial of AppDynamics Pro today! http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Rule Management with two separate rulesets Steven McLaughlin (Jul 16)
- Re: Rule Management with two separate rulesets JJC (Jul 16)
- Re: Rule Management with two separate rulesets waldo kitty (Jul 17)
- Re: Rule Management with two separate rulesets JJC (Jul 17)
- Re: Rule Management with two separate rulesets Joel Esler (Jul 17)