Snort mailing list archives
Re: Some notes about today's VRT Rule release for 02/09/2012
From: waldo kitty <wkitty42 () windstream net>
Date: Thu, 09 Feb 2012 17:19:42 -0500
On 2/9/2012 15:58, Joel Esler wrote: [trim]
Today, we leveled the playing field between the various ways to get Snort rules. It has long been the case where Sourcefire products, by default, enabled rules in the balanced-ips policy.
ok...
When you use PulledPork (http://code.google.com/p/pulledpork/), this is also the default behavior. But when you simply downloaded the rules from Snort.org, the rules were a hodge podge of rules that were enabled or disabled, denoted by whether or not the rule was commented out in the rules file.
ok...
In an effort to make the barrier to entry that much easier, the Open Source rule package downloaded on snort.org <http://snort.org> now exactly mirrors what you would get if you used PulledPork. All rules in balanced-ips are enabled and all rules not in balanced-ips are disabled. The exception to this is that rules that set flowbits that are used by rules that are in balanced-ips are also enabled. This means that the default Open Source ruleset will now provide a good balance between speed, performance, and detection and all rules should work as expected. Those using Oinkmaster, or simply downloading the ruleset directly, will now be running the "balanced-ips" policy. A rule's "on/off" state is now dictated by policy.
what policy? i've understood most things up to here... we do not use any "policy" rules in our configuration... at least nothing specifically... i don't believe that we even include the policy.rules file(s)... so one has to ask, what policy? where can one see this policy? does this change blow things up like oinkmaster's disablesid option? ------------------------------------------------------------------------------ Virtualization & Cloud Management Using Capacity Planning Cloud computing makes use of virtualization - but cloud computing also focuses on allowing computing to be delivered as a service. http://www.accelacomm.com/jaw/sfnl/114/51521223/ _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Some notes about today's VRT Rule release for 02/09/2012 Joel Esler (Feb 09)
- Re: Some notes about today's VRT Rule release for 02/09/2012 Miso Patel (Feb 09)
- Re: Some notes about today's VRT Rule release for 02/09/2012 Joel Esler (Feb 09)
- Re: Some notes about today's VRT Rule release for 02/09/2012 Miso Patel (Feb 09)
- Re: Some notes about today's VRT Rule release for 02/09/2012 Joel Esler (Feb 09)
- Re: Some notes about today's VRT Rule release for 02/09/2012 Joel Esler (Feb 09)
- Re: Some notes about today's VRT Rule release for 02/09/2012 Miso Patel (Feb 09)
- Re: Some notes about today's VRT Rule release for 02/09/2012 waldo kitty (Feb 09)
- Re: Some notes about today's VRT Rule release for 02/09/2012 Joel Esler (Feb 09)
- Re: Some notes about today's VRT Rule release for 02/09/2012 waldo kitty (Feb 09)
- Re: Some notes about today's VRT Rule release for 02/09/2012 waldo kitty (Feb 09)
- Re: Some notes about today's VRT Rule release for 02/09/2012 Joel Esler (Feb 09)
- Re: Some notes about today's VRT Rule release for 02/09/2012 Joel Esler (Feb 09)