Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Odp: Re: Odp: Re: PulledPork and empty Emerging ruleset

From: <snort () outlook com>
Date: Sat, 30 May 2015 21:48:03 +0000
There isn't really one right answer to your question. The short answer is it depends on your environment and associated 
risk.
The long answer is that you may need to review the categories, rules, documentation, etc, and validate what best suits 
your environment. In either way, VRT or ET, you eventually will end up knowing what is actually being enabled, with or 
without policy. For example, there are lot of MS rules with security policy so they get enabled when you use the 
security policy, however, the environment may be entirely comprised of Linux and OS X machines. In this case knowing 
about the policy alone is not helpful.
I suggest you review what value ET rules can add to detection at your environment and what the rules/categories are 
addressing, and where your risk is (malware, exploits, web servers, SCADA, etc).
Did I address the question or misunderstood the point?
Sent from Mobile




On Sat, May 30, 2015 at 2:14 PM -0700, "Robert Lasota" <wrkilu () wp pl> wrote:
Dnia Sobota, 30 Maja 2015 22:46 <snort () outlook com> napisaƂ(a)

I did NOT say the PulledPork can't generate ET rules. If you look back at my previous answer all I said was that ET 
rules do NOT include the required metadata to classify rules based on policy.

Also like I said earlier, you can use the enablesid.conf to enable what you choose from ET. In fact, if you open 
enablesid.conf, you will see an example of how to enable ET rules.

Sent from Mobile





You didn't understand me, I know I can turn on ET in enablesid,conf. But... without policy how to decide which rules in 
every ET files should be on or commented out ??



Robert



------------------------------------------------------------------------------

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: