Snort mailing list archives
Re: Import ET into Sourcefire DC
From: Joel Esler <jesler () sourcefire com>
Date: Mon, 17 Jan 2011 09:02:46 -0500
Just so it's clear, I'm not trying to be evasive or trying to start a fight either. I'm glad you said that Matt, because apparently some people think that ET and Sourcefire are "fighting". The users manual for Sourcefire is on the support site, so if you have a Sourcefire support account, you can gain access to our docs. However, out of the few imports of ET rules that I have seen attempted, there are formatting issues with the ET rules that our parser will not accept. I don't recall exactly which fields they are, but rest assured if any fields are not part of the standard Snort configuration, the Sourcefire DC will not accept the import into the database. The ability to import any external rules into the database is in *Policy & Response -> IPS -> SEU*, then click the "*Import*" button. Joel On Mon, Jan 17, 2011 at 8:55 AM, Matthew Jonkman < jonkman () emergingthreatspro com> wrote:
I appreciate the concern to not offend anyone. It's something that comes up often for us and we haven't seen a good resolution. How about you just point us to the docs on that so we can help folks that have issues and we let it leave the lists here? Is that possible? (I swear, I'm not trying to start a fight here. :) We just are curious too and want to help folks be able to import ET rules. And heck, it'll help sell SF consoles if people can use them easier. ) Matt On Jan 17, 2011, at 8:30 AM, Joel Esler wrote:Matt, This isn't a Snort issue, it's a Sourcefire issue, and we have strictinternal restrictions about discussing product on the Snort lists for fear of people accusing us of advertising product, so I'd rather it NOT be on list. If I do it, that allows other people to do it, and other companies, and before we know it the Snort lists will turn into an advertising list, and we all don't want that.The correct way for this question to be fielded is through Sourcefiresupport.The import of rules is extremely easy to do and is documented both in ourmanual as well as the help documentation within the Defense Center. If you have a Sourcefire support account, it's documented for you.Joel On Jan 17, 2011, at 8:24 AM, Matthew Jonkman wrote:I'd love to see this on the list of we can. We have a number ofcustomers that do, and a lot of open ruleset users that want to, but there's never been much discussion of how to do so.No one likes a security product that eliminates flexibility, more infohere would be good for all I think. I'll even make sure we get it documented somewhere public!Matt On Jan 17, 2011, at 8:17 AM, Joel Esler wrote:On Jan 17, 2011, at 8:00 AM, Gregory Zill wrote:Possibly a little off-topic, but I was wondering if anyone uses ETrules on a Sourcefire Defense Center? The rules need to be reformatted somewhat before accepted into the DC for use on SF sensors. I appreciate any information out there.We know of a couple customers that do. If you'd like to write meoff-list, I can help you with this.-- Joel Esler jesler () sourcefire com http://blog.snort.org && http://blog.clamav.net------------------------------------------------------------------------------Protect Your Site and Customers from Malware Attacks Learn about various malware tactics and how to avoid them. Understand malware threats, the impact they can have on your business, and how you can protect your company and customers by using code signing. http://p.sf.net/sfu/oracle-sfdevnl _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users---------------------------------------------------- Matthew Jonkman Emergingthreats.net Emerging Threats Pro Open Information Security Foundation (OISF) Phone 765-807-8630 Fax 312-264-0205 http://www.emergingthreatspro.com http://www.openinfosecfoundation.org ---------------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc-- Joel Esler jesler () sourcefire com http://blog.snort.org && http://blog.clamav.net---------------------------------------------------- Matthew Jonkman Emergingthreats.net Emerging Threats Pro Open Information Security Foundation (OISF) Phone 765-807-8630 Fax 312-264-0205 http://www.emergingthreatspro.com http://www.openinfosecfoundation.org ---------------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc
-- Joel Esler Skype:eslerjoel http://blog.snort.org
------------------------------------------------------------------------------ Protect Your Site and Customers from Malware Attacks Learn about various malware tactics and how to avoid them. Understand malware threats, the impact they can have on your business, and how you can protect your company and customers by using code signing. http://p.sf.net/sfu/oracle-sfdevnl
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Import ET into Sourcefire DC Gregory Zill (Jan 17)
- Re: Import ET into Sourcefire DC Joel Esler (Jan 17)
- Re: Import ET into Sourcefire DC Matthew Jonkman (Jan 17)
- Re: Import ET into Sourcefire DC Joel Esler (Jan 17)
- Re: Import ET into Sourcefire DC Matthew Jonkman (Jan 17)
- Re: Import ET into Sourcefire DC Joel Esler (Jan 17)
- Re: Import ET into Sourcefire DC Matthew Jonkman (Jan 17)
- Re: Import ET into Sourcefire DC Matthew Jonkman (Jan 17)
- Re: Import ET into Sourcefire DC Joel Esler (Jan 17)