Re: Pulledpork: preprocessors, ips_policy and snort.conf

[Y M <snort () outlook com>]

From: miboe60 () hotmail com
To: snort-users () lists sourceforge net
Date: Sun, 26 Apr 2015 12:51:18 +0200
Subject: [Snort-users] Pulledpork: preprocessors, ips_policy and snort.conf




Hello

How does the pulledpork ips_policy works in conjunction with the snort.conf?
# The best way I understand it is that the policy ties to the policy specification in Snort rules. If you look at the 
rules' metadata, you will see the policy specification for a given rule. When you run PulledPork specifying the policy 
using the (-I <security|balanced|connectivity>) switch, it will enable the rules that match the selected policy with 
the rules metadata policy. 
In more detail, does it still make sense to activate preprocessors in my snort.conf, or are they ignored by pulledpork?

# if the preporcessor's stub rules are denoted with the appropriate policy metadata, then PulledPork will enable them 
according to the chosen policy (security|balanced|connectivity).

For example, if I activate the arpspoof preprocessor in snort.conf, and then run Pulledpork in 'security' mode, the 
arpspoof rules are all commented.  Surely, I can activate them through the 'enablesid.conf', but then it would mean 
that the snort.conf options are ignored?
# See my second comment above. Having the preprocessor not report any output, i.e.: alert, does not mean that the 
preprocessor is not working. A simpler example in this case is the http_inspect preprocessor. It has its own rules/gid 
which may not be enabled, however, it is still processing http traffic to be used in text rules, i.e.: http_header, 
http_uri, etc.


Regards
                                          

------------------------------------------------------------------------------
One dashboard for servers and applications across Physical-Virtual-Cloud 
Widest out-of-the-box monitoring support with 50+ applications
Performance metrics, stats and reports that give you Actionable Insights
Deep dive visibility with transaction tracing using APM Insight.
http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!                                        

------------------------------------------------------------------------------
One dashboard for servers and applications across Physical-Virtual-Cloud 
Widest out-of-the-box monitoring support with 50+ applications
Performance metrics, stats and reports that give you Actionable Insights
Deep dive visibility with transaction tracing using APM Insight.
http://ad.doubleclick.net/ddm/clk/290420510;117567292;y

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!