Re: VRT Categories

[SnortFan <SnortFan () yahoo com>]

When I put what I think is the categories I get about four times as many rules than if I don't. When I then try to 
comment out the categories I still have way more than the default. What I'm trying to do is get the default and the 
VoIP rules. 

Before the pervious snort admin was doing pulled pork once for the default and a second for VoIP. Then he used script 
to recreate the sidmap file, however that script really doesn't create a valid sidmap file.  

Thanks,
Ed

Sent from a mobile device. 

> On Jan 23, 2014, at 4:03 PM, "Joel Esler (jesler)" <jesler () cisco com> wrote:
>
> There are still a few categories that are stragglers I think, and the shared object rules didn’t change categories 
> yet.
>
>
> > On Jan 22, 2014, at 3:38 PM, Y M <snort () outlook com> wrote:
> >
> > As far as I know the transition is complete. But, as the nature of things go, changes maybe warranted. That said, 
> > you can compare the files of one of the old categories against a newer one (ex.: icmp.rules vs. protocol-icmp.rules) 
> > and see the difference. The below statement is quoted from the first blog post:
> >
> > http://blog.snort.org/2012/03/rule-category-reorganization.html
> >
> > "The good news is, if you are using the Sourcefire product, PulledPork, or Oinkmaster, the vast majority of you 
> > should be unaffected.  These products will handle the transition just fine.  The only way you will be affected using 
> > PulledPork (or Oinkmaster's related tools) is if you use enablesid.conf or disablesid.conf to enable or disable 
> > entire categories of rules."
> >
> > YM
> >
> > Subject: Re: [Snort-users] VRT Categories
> > From: SnortFan () yahoo com
> > Date: Wed, 22 Jan 2014 15:30:22 -0500
> > To: snort () outlook com; snort-users () lists sourceforge net
> >
> > Hi YM, 
> >      Hmm, so are the new rule categories on those three pages the whole list? Seems a little confusing. I'm using 
> > the older categories and they seem to be pulling down some rules. So are they still in transition to the new more 
> > protocol / file /policy based categories? 
> >
> > When I comment out the enablesid in my pulledpork.conf file I should get all the rules but I actually get less than 
> > if I use the enablesid.conf and use the old category list. 
> >
> > Thanks,
> > Ed
> >
> > Sent from a mobile device. 
> >
> > On Jan 22, 2014, at 3:04 PM, Y M <snort () outlook com> wrote:
> >
> > Have a look at these:
> >
> > http://blog.snort.org/2012/03/rule-category-reorganization.html
> > http://blog.snort.org/2012/08/rule-category-reorganization-phase-2.html
> > http://blog.snort.org/2012/10/rule-category-reorganization-phase-3.html
> >
> > YM
> >
> > > From: SnortFan () yahoo com
> > > Date: Wed, 22 Jan 2014 14:53:42 -0500
> > > To: snort-users () lists sourceforge net
> > > Subject: [Snort-users] VRT Categories
> > >
> > > Hi All,
> > >
> > > Where can I find the most current list of VRT Categories to plug into pulledpork's enablesid.conf file?
> > >
> > > The one I've found is dated April 1, 2010. 
> > >
> > > Thanks,
> > > Ed
> > >
> > > Sent from a mobile device. 
> > > ------------------------------------------------------------------------------
> > > CenturyLink Cloud: The Leader in Enterprise Cloud Services.
> > > Learn Why More Businesses Are Choosing CenturyLink Cloud For
> > > Critical Workloads, Development Environments & Everything In Between.
> > > Get a Quote or Start a Free Trial Today. 
> > > http://pubads.g.doubleclick.net/gampad/clk?id=119420431&iu=/4140/ostg.clktrk
> > > _______________________________________________
> > > Snort-users mailing list
> > > Snort-users () lists sourceforge net
> > > Go to this URL to change user options or unsubscribe:
> > > https://lists.sourceforge.net/lists/listinfo/snort-users
> > > Snort-users list archive:
> > > http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> > >
> > > Please visit http://blog.snort.org to stay current on all the latest Snort news!
> > ------------------------------------------------------------------------------
> > CenturyLink Cloud: The Leader in Enterprise Cloud Services.
> > Learn Why More Businesses Are Choosing CenturyLink Cloud For
> > Critical Workloads, Development Environments & Everything In Between.
> > Get a Quote or Start a Free Trial Today. 
> > http://pubads.g.doubleclick.net/gampad/clk?id=119420431&iu=/4140/ostg.clktrk_______________________________________________
> > Snort-users mailing list
> > Snort-users () lists sourceforge net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> >
> > Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------
CenturyLink Cloud: The Leader in Enterprise Cloud Services.
Learn Why More Businesses Are Choosing CenturyLink Cloud For
Critical Workloads, Development Environments & Everything In Between.
Get a Quote or Start a Free Trial Today. 
http://pubads.g.doubleclick.net/gampad/clk?id=119420431&iu=/4140/ostg.clktrk

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!