Snort mailing list archives
Re: Snort rules
From: "Joel Esler (jesler)" <jesler () cisco com>
Date: Tue, 14 Jun 2016 22:34:30 +0000
The “on off” state, by default, so equate, roughly, to balanced. You have to adjust your posture from there. -- Joel Esler Manager, Talos Group
On Jun 14, 2016, at 11:09 AM, Y M <snort () outlook com> wrote: Yes, as far as I understand. In a very abstract form, the policy is expressed in the "metadata" keyword within each rule using definitions such as balanced-ips, security-ips . This is how PulledPork can tell which rules to enable based on the selected policy. There is a one-to-one mapping of policies between the ruleset and PulledPork (not sure about the max-ips through). YM Sent from Mobile _____________________________ From: Dan Roberts <danroberts2604 () gmail com <mailto:danroberts2604 () gmail com>> Sent: Tuesday, June 14, 2016 5:24 PM Subject: Re: [Snort-users] Snort rules To: Y M <snort () outlook com <mailto:snort () outlook com>> Thanks for the link :-) I knew that with some dedicated tools (like Pulledpork) you can generate your set of rules based on: connectivity, balanced or security profile. Does it mean that the package delivered by default by Snort for the registered users (snortrules-snapshot-xxx.tar.gz) provides the same set of rules (known as "Balanced Base Policy") as the balanced-one built by Pulledpork ? On Tue, Jun 14, 2016 at 3:00 PM, Y M <snort () outlook com <mailto:snort () outlook com>> wrote: Check this link: http://blog.snort.org/2013/10/snort-vrt-default-ruleset-rebalancing.html <http://blog.snort.org/2013/10/snort-vrt-default-ruleset-rebalancing.html> YM Sent from Mobile On Tue, Jun 14, 2016 at 3:55 PM +0300, "Dan Roberts" <danroberts2604 () gmail com <mailto:danroberts2604 () gmail com>> wrote: Hi all, Does someone know what decides which rules are commented out (#) in the *.rules files contained in he snortrules-snapshot-29xx.tar.gz package? Are they outdated ? So why do we keep them in the files ? Thanks Dan ------------------------------------------------------------------------------ What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic patterns at an interface-level. Reveals which users, apps, and protocols are consuming the most bandwidth. Provides multi-vendor support for NetFlow, J-Flow, sFlow and other flows. Make informed decisions using capacity planning reports. https://ad.doubleclick.net/ddm/clk/305295220;132659582;e_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Attachment:
signature.asc
Description: Message signed with OpenPGP using GPGMail
------------------------------------------------------------------------------ What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic patterns at an interface-level. Reveals which users, apps, and protocols are consuming the most bandwidth. Provides multi-vendor support for NetFlow, J-Flow, sFlow and other flows. Make informed decisions using capacity planning reports. http://pubads.g.doubleclick.net/gampad/clk?id=1444514421&iu=/41014381
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Snort rules Dan Roberts (Jun 14)
- Re: Snort rules Y M (Jun 14)
- Message not available
- Re: Snort rules Y M (Jun 14)
- Re: Snort rules Joel Esler (jesler) (Jun 14)
- Message not available
- Re: Snort rules Y M (Jun 14)