Snort mailing list archives

Re: Some notes about today's VRT Rule release for 02/09/2012

From: Joel Esler <jesler () sourcefire com>
Date: Thu, 9 Feb 2012 17:35:04 -0500

On Thu, Feb 9, 2012 at 5:19 PM, waldo kitty <wkitty42 () windstream net> wrote:

On 2/9/2012 15:58, Joel Esler wrote:

[trim]

In an effort to make the barrier to entry that much easier, the Open

Source rule

package downloaded on snort.org <http://snort.org> now exactly mirrors

what you

would get if you used PulledPork. All rules in balanced-ips are enabled

and all

rules not in balanced-ips are disabled. The exception to this is that

rules that

set flowbits that are used by rules that are in balanced-ips are also

enabled.

This means that the default Open Source ruleset will now provide a good

balance

between speed, performance, and detection and all rules should work as
expected.  Those using Oinkmaster, or simply downloading the ruleset

directly,

will now be running the "balanced-ips" policy.  A rule's "on/off" state

is now

dictated by policy.


what policy? i've understood most things up to here... we do not use any
"policy" rules in our configuration... at least nothing specifically... i
don't
believe that we even include the policy.rules file(s)... so one has to
ask, what
policy? where can one see this policy? does this change blow things up like
oinkmaster's disablesid option?

We've had three policies in the rules for some time now in the "metadata"

field.  "policy connectivity-ips, policy balanced-ips, and policy
security-ips"

This change will not affect Oinkmaster at all.  In fact, those of you that
were using things other than PulledPork that didn't have flowbit
auto-resolution or policy enforcement are now running the exact same
policies (and dependancies) that those that are.  That's what we mean by
"leveling the playing field".

Actually, Waldo, you were one of the people specifically we had in mind
when we made this "fix", since you can't run PulledPork.

J

------------------------------------------------------------------------------
Virtualization & Cloud Management Using Capacity Planning
Cloud computing makes use of virtualization - but cloud computing 
also focuses on allowing computing to be delivered as a service.
http://www.accelacomm.com/jaw/sfnl/114/51521223/

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!

Current thread:

Some notes about today's VRT Rule release for 02/09/2012 Joel Esler (Feb 09)
- Re: Some notes about today's VRT Rule release for 02/09/2012 Miso Patel (Feb 09)
  - Re: Some notes about today's VRT Rule release for 02/09/2012 Joel Esler (Feb 09)
    - Re: Some notes about today's VRT Rule release for 02/09/2012 Miso Patel (Feb 09)
    - Re: Some notes about today's VRT Rule release for 02/09/2012 Joel Esler (Feb 09)
- Re: Some notes about today's VRT Rule release for 02/09/2012 waldo kitty (Feb 09)
  - Re: Some notes about today's VRT Rule release for 02/09/2012 Joel Esler (Feb 09)
    - Re: Some notes about today's VRT Rule release for 02/09/2012 waldo kitty (Feb 09)
    - Re: Some notes about today's VRT Rule release for 02/09/2012 waldo kitty (Feb 09)
    - Re: Some notes about today's VRT Rule release for 02/09/2012 Joel Esler (Feb 09)