Snort mailing list archives
Re: quick question about snort.conf
From: Joel Esler <jesler () sourcefire com>
Date: Tue, 23 Oct 2012 19:04:28 -0400
Exactly correct. Sent from my iPhone On Oct 23, 2012, at 6:06 PM, Jeremy Hoel <jthoel () gmail com> wrote:
The rules file you get still has all the rules in the little groups. That's still the official way. if you want better/easier rule management then you use pulledpork/oinkmaster/etc. And with pulledpork, one of it's options is to output the single snort.rules file. You don't have to do that, you can still have the individual files, but the single file is the default. So as far as Snort is concerned, it's default way is to use the individual files, but most of the users will probably migrate to better management with the single rules file. On Tue, Oct 23, 2012 at 9:59 PM, AllowOverride <allowoverride () gmail com> wrote:i noticed today that the snort.conf from: http://labs.snort.org/snort/2931/snort.conf still includes the "include" rules. from what i have been told, for IDS in my case, I need to # out the include statements, and only use the snort.rules likes this: include $RULE_PATH/snort.rules so to wrap up: when i use the snort.rules listed above snort works. if i do NOT include the path above it will not. 0 bytes snort.log is my prove. i am curious as to why the downloadable snort.conf is still including the paths below, not #'d out, and still available?? shouldn't they be removed since snort.rules is the supported way officially? just wondering, i appreciate your comments. wrong way: # site specific rules include $RULE_PATH/local.rules include $RULE_PATH/app-detect.rules include $RULE_PATH/attack-responses.rules .... right way: # site specific rules #include $RULE_PATH/local.rules include $RULE_PATH/snort.rules #include $RULE_PATH/app-detect.rules #include $RULE_PATH/attack-responses.rules .... correct? PS. base1.4.5, barnyard2, pulledpork, snort work fine :) thanks! ------------------------------------------------------------------------------ Everyone hates slow websites. So do we. Make your web apps faster with AppDynamics Download AppDynamics Lite for free today: http://p.sf.net/sfu/appdyn_sfd2d_oct _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!------------------------------------------------------------------------------ Everyone hates slow websites. So do we. Make your web apps faster with AppDynamics Download AppDynamics Lite for free today: http://p.sf.net/sfu/appdyn_sfd2d_oct _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------ Everyone hates slow websites. So do we. Make your web apps faster with AppDynamics Download AppDynamics Lite for free today: http://p.sf.net/sfu/appdyn_sfd2d_oct _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- quick question about snort.conf AllowOverride (Oct 23)
- Re: quick question about snort.conf Jeremy Hoel (Oct 23)
- Re: quick question about snort.conf Joel Esler (Oct 23)
- Re: quick question about snort.conf Peter Bates (Oct 24)
- Re: quick question about snort.conf Joel Esler (Oct 24)
- Re: quick question about snort.conf Jeremy Hoel (Oct 23)