Snort mailing list archives
Re: Odp: Re: Odp: Re: PulledPork and empty Emerging ruleset
From: <snort () outlook com>
Date: Sat, 30 May 2015 21:48:03 +0000
There isn't really one right answer to your question. The short answer is it depends on your environment and associated risk. The long answer is that you may need to review the categories, rules, documentation, etc, and validate what best suits your environment. In either way, VRT or ET, you eventually will end up knowing what is actually being enabled, with or without policy. For example, there are lot of MS rules with security policy so they get enabled when you use the security policy, however, the environment may be entirely comprised of Linux and OS X machines. In this case knowing about the policy alone is not helpful. I suggest you review what value ET rules can add to detection at your environment and what the rules/categories are addressing, and where your risk is (malware, exploits, web servers, SCADA, etc). Did I address the question or misunderstood the point? Sent from Mobile On Sat, May 30, 2015 at 2:14 PM -0700, "Robert Lasota" <wrkilu () wp pl> wrote: Dnia Sobota, 30 Maja 2015 22:46 <snort () outlook com> napisaĆ(a) I did NOT say the PulledPork can't generate ET rules. If you look back at my previous answer all I said was that ET rules do NOT include the required metadata to classify rules based on policy. Also like I said earlier, you can use the enablesid.conf to enable what you choose from ET. In fact, if you open enablesid.conf, you will see an example of how to enable ET rules. Sent from Mobile You didn't understand me, I know I can turn on ET in enablesid,conf. But... without policy how to decide which rules in every ET files should be on or commented out ?? Robert
------------------------------------------------------------------------------
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Odp: Re: Odp: Re: PulledPork and empty Emerging ruleset Robert Lasota (May 30)
- Re: Odp: Re: Odp: Re: PulledPork and empty Emerging ruleset snort (May 30)