Snort mailing list archives
Re: Pulledpork: preprocessors, ips_policy and snort.conf
From: Y M <snort () outlook com>
Date: Sun, 26 Apr 2015 11:31:14 +0000
From: miboe60 () hotmail com To: snort-users () lists sourceforge net Date: Sun, 26 Apr 2015 12:51:18 +0200 Subject: [Snort-users] Pulledpork: preprocessors, ips_policy and snort.conf Hello How does the pulledpork ips_policy works in conjunction with the snort.conf? # The best way I understand it is that the policy ties to the policy specification in Snort rules. If you look at the rules' metadata, you will see the policy specification for a given rule. When you run PulledPork specifying the policy using the (-I <security|balanced|connectivity>) switch, it will enable the rules that match the selected policy with the rules metadata policy. In more detail, does it still make sense to activate preprocessors in my snort.conf, or are they ignored by pulledpork? # if the preporcessor's stub rules are denoted with the appropriate policy metadata, then PulledPork will enable them according to the chosen policy (security|balanced|connectivity). For example, if I activate the arpspoof preprocessor in snort.conf, and then run Pulledpork in 'security' mode, the arpspoof rules are all commented. Surely, I can activate them through the 'enablesid.conf', but then it would mean that the snort.conf options are ignored? # See my second comment above. Having the preprocessor not report any output, i.e.: alert, does not mean that the preprocessor is not working. A simpler example in this case is the http_inspect preprocessor. It has its own rules/gid which may not be enabled, however, it is still processing http traffic to be used in text rules, i.e.: http_header, http_uri, etc. Regards ------------------------------------------------------------------------------ One dashboard for servers and applications across Physical-Virtual-Cloud Widest out-of-the-box monitoring support with 50+ applications Performance metrics, stats and reports that give you Actionable Insights Deep dive visibility with transaction tracing using APM Insight. http://ad.doubleclick.net/ddm/clk/290420510;117567292;y _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------ One dashboard for servers and applications across Physical-Virtual-Cloud Widest out-of-the-box monitoring support with 50+ applications Performance metrics, stats and reports that give you Actionable Insights Deep dive visibility with transaction tracing using APM Insight. http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Pulledpork: preprocessors, ips_policy and snort.conf Michael B (Apr 26)
- Re: Pulledpork: preprocessors, ips_policy and snort.conf Y M (Apr 26)