Snort mailing list archives
Re: Default rule set
From: Y M <snort () outlook com>
Date: Sat, 17 May 2014 10:43:58 +0000
ummm... does this "security", "balanced", "connectivity" stuff pertain to the ET (EmergingThreats) rules sets?? ;)
I don't think ET ruleset has these policies. In the VRT ruleset, these are represented through the "metadata" tag with options of "policy connectivity-ips", "policy balanced-ips", "policy security-ips", and the most recent one "ruleset community". PulledPork use these along with the "-I <policy>" to determine what rules to enable. During early tests, running PulledPork against both VRT and ET with a policy specified, did not enable any ET rule. Two options to overcome this:1. Add ET sids/categories into enablesid.conf, and PulledPork will enable them regardless of policy specified, or (better)2. Since PulledPork now processes modifysid.conf first (before enablesid.conf), add pcre to modify ET rules to include the desired policy and PulledPork should pick it up from there. I will need to re-test this one though. YM
Date: Fri, 16 May 2014 20:57:36 -0400 From: wkitty42 () windstream net To: snort-users () lists sourceforge net Subject: Re: [Snort-users] Default rule set On 5/16/2014 1:16 PM, Kurzawa, Kevin wrote:If you use the "security" ruleset (vs the connectivity or balanced ruleset) then you will end up with around 6K rules. Balanced is a several hundred fewer, I believe. The criteria for what each ruleset consists of is found on the snort.org site. It has to do with age and criticality, basically.ummm... does this "security", "balanced", "connectivity" stuff pertain to the ET (EmergingThreats) rules sets?? ;) -- NOTE: No off-list assistance is given without prior approval. Please *keep mailing list traffic on the list* unless private contact is specifically requested and granted. ------------------------------------------------------------------------------ "Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE Instantly run your Selenium tests across 300+ browser/OS combos. Get unparalleled scalability from the best Selenium testing platform available Simple to use. Nothing to install. Get started now for free." http://p.sf.net/sfu/SauceLabs _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------ "Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE Instantly run your Selenium tests across 300+ browser/OS combos. Get unparalleled scalability from the best Selenium testing platform available Simple to use. Nothing to install. Get started now for free." http://p.sf.net/sfu/SauceLabs
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Default rule set Sallee, Jake (May 16)
- Re: Default rule set James Lay (May 16)
- Re: Default rule set Kurzawa, Kevin (May 16)
- Re: Default rule set Joel Esler (jesler) (May 16)
- Re: Default rule set waldo kitty (May 16)
- Re: Default rule set Y M (May 17)
- Re: Default rule set waldo kitty (May 17)
- Message not available
- Message not available
- Re: Default rule set Sallee, Jake (May 17)
- Message not available
- Default rule set Sallee, Jake (May 17)
- Re: Default rule set Y M (May 18)
- Re: Default rule set Jefferson, Shawn (May 23)