Snort mailing list archives
Re: Default rule set
From: "Jefferson, Shawn" <Shawn.Jefferson () bcferries com>
Date: Fri, 23 May 2014 10:15:53 -0600
I keep my VRT and ET rules separate, so separate PP config files, and separate combined .rules files as well. This just works better for my personal setup. -----Original Message----- From: Sallee, Jake [mailto:Jake.Sallee () umhb edu] Sent: May 17, 2014 10:44 PM To: snort-users Subject: [Snort-users] Default rule set Firstly, thank you all for the info, it has been very helpful. I have configured my pulled pork with the security setting and it seems to be working well. Now, as others have pointed out, configuring this setting in PP turns off all ET rules. So my question is: are the rules turned on with the "security" setting in PP sufficient or should I augment them with rules from the ET set? Also, a quick question about this suggestion:
2. Since PulledPork now processes modifysid.conf first (before enablesid.conf), add pcre to modify ET rules to include the desired policy and PulledPork should pick it up from there. I will need to re-test this one though.
Please forgive my inexperience but I am reading this statement two different ways: 1) Set PP with the security setting and use PCRE to enable ET rules in the modifysid.conf file or 2) Use PCRE to enable the security sub-set of rules in modifysid.conf while PP is configured to use the ET rule set Which one is correct, or am I wrong on both counts? And lastly, if I do use some ET rules in conjunction with the security set of rules I will need to do some serious pruning to keep under the aforementioned 7,000 rule suggested limit. Are there any rules that duplicate effort in the ET and Security sets? If so, is there an easy way to identify them and which one should I choose to use? Thank you all again. Jake Sallee Godfather of Bandwidth System Engineer University of Mary Hardin-Baylor WWW.UMHB.EDU 900 College St. Belton, Texas 76513 Fone: 254-295-4658 Phax: 254-295-4221 ________________________________________ From: waldo kitty [wkitty42 () windstream net] Sent: Saturday, May 17, 2014 9:47 AM To: snort-users () lists sourceforge net Subject: Re: [Snort-users] Default rule set On 5/17/2014 6:43 AM, Y M wrote:
> ummm... does this "security", "balanced", "connectivity" stuff pertain to the ET > (EmergingThreats) rules sets?? ;) I don't think ET ruleset has these policies.
exactly, thanks for confirming this, YM... it is especially important since the OP's original question mentioned ET rules...
In the VRT ruleset, these are represented through the "metadata" tag with options of "policy connectivity-ips", "policy balanced-ips", "policy security-ips", and the most recent one "ruleset community". PulledPork use these along with the "-I <policy>" to determine what rules to enable.
yes, this confirms the method with which the policy is determined... it is also helpful for those who don't know or understand it...
During early tests, running PulledPork against both VRT and ET with a policy specified, did not enable any ET rule. Two options to overcome this: 1. Add ET sids/categories into enablesid.conf, and PulledPork will enable them regardless of policy specified, or (better) 2. Since PulledPork now processes modifysid.conf first (before enablesid.conf), add pcre to modify ET rules to include the desired policy and PulledPork should pick it up from there. I will need to re-test this one though.
ahh, very nice... i'm glad to see the PP has come such a long way in the short time it has been available... excellent work by the maintainer! ;) -- NOTE: No off-list assistance is given without prior approval. Please *keep mailing list traffic on the list* unless private contact is specifically requested and granted. ------------------------------------------------------------------------------ "Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE Instantly run your Selenium tests across 300+ browser/OS combos. Get unparalleled scalability from the best Selenium testing platform available Simple to use. Nothing to install. Get started now for free." http://p.sf.net/sfu/SauceLabs _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news! ------------------------------------------------------------------------------ "Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE Instantly run your Selenium tests across 300+ browser/OS combos. Get unparalleled scalability from the best Selenium testing platform available Simple to use. Nothing to install. Get started now for free." http://p.sf.net/sfu/SauceLabs _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news! ------------------------------------------------------------------------------ "Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE Instantly run your Selenium tests across 300+ browser/OS combos. Get unparalleled scalability from the best Selenium testing platform available Simple to use. Nothing to install. Get started now for free." http://p.sf.net/sfu/SauceLabs _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Default rule set Sallee, Jake (May 16)
- Re: Default rule set James Lay (May 16)
- Re: Default rule set Kurzawa, Kevin (May 16)
- Re: Default rule set Joel Esler (jesler) (May 16)
- Re: Default rule set waldo kitty (May 16)
- Re: Default rule set Y M (May 17)
- Re: Default rule set waldo kitty (May 17)
- Message not available
- Message not available
- Re: Default rule set Sallee, Jake (May 17)
- Message not available
- Default rule set Sallee, Jake (May 17)
- Re: Default rule set Y M (May 18)
- Re: Default rule set Jefferson, Shawn (May 23)