Snort mailing list archives
Re: [Snort-users] [Snort-devel] i have only 600 rules in my snort3
From: Dorian ROSSE via Snort-sigs <snort-sigs () lists snort org>
Date: Tue, 1 Mar 2022 09:33:49 +0000
Dear Noah, The error is too here : In your configuration of the snort configuration you do read only the rules local, Thanks you in advance to explain how to read all the folders of rules, Regards. Dorian Rosse. ________________________________ From: Noah Dietrich <noah_dietrich () 86penny org> Sent: Monday, February 28, 2022 10:18:01 PM To: Dorian ROSSE <dorianbrice () hotmail fr> Cc: Maya Dagon (mdagon) <mdagon () cisco com>; Snort-users () lists snort org <snort-users () lists snort org>; snort-devel () lists snort org <snort-devel () lists snort org>; snort-sigs () lists snort org <snort-sigs () lists snort org> Subject: Re: [Snort-users] [Snort-devel] i have only 600 rules in my snort3 Hello, I think the reason you only have 600 rules is because of the "ips_policy" setting in your pulledpork.conf file (I assume you're using PulledPork3, but it's similar for PP2). This setting determines how many rules from the downloaded ruleset are enabled, based on your appetite for risk. From the pulledpork.conf file: # Enable / Disable rules based on the level of functionality/security you want. # must be one of: connectivity, balanced, security, max-detect, none # default is connectivity. Will not work with community ruleset. # https://www.snort.org/faq/why-are-rules-commented-out-by-default ips_policy = balanced If you want more rules enabled from the ruleset, choose security or max-detect for this setting and re-run pulledpork. Noah On Mon, Feb 28, 2022 at 8:35 AM Dorian ROSSE via Snort-users <snort-users () lists snort org<mailto:snort-users () lists snort org>> wrote: I use the configuration edited from the pdf created by Noah Dietrich for snort3 on Ubuntu 18 & 20, By the begun I have 600 rules like the system doesn't read rules before I downloaded the rules I have ever 600 rules, Have you a repairing ? Thanks you in advance for your help, Regards. Dorian Rosse. ________________________________ From: Maya Dagon (mdagon) <mdagon () cisco com<mailto:mdagon () cisco com>> Sent: Monday, February 28, 2022 4:34:28 PM To: Dorian ROSSE <dorianbrice () hotmail fr<mailto:dorianbrice () hotmail fr>>; Snort-users () lists snort org<mailto:Snort-users () lists snort org> <snort-users () lists snort org<mailto:snort-users () lists snort org>>; snort-devel () lists snort org<mailto:snort-devel () lists snort org> <snort-devel () lists snort org<mailto:snort-devel () lists snort org>>; snort-sigs () lists snort org<mailto:snort-sigs () lists snort org> <snort-sigs () lists snort org<mailto:snort-sigs () lists snort org>> Subject: Re: [Snort-devel] i have only 600 rules in my snort3 Hi Dorian, The path depends on your configuration. Are you including the rules from another file? Is it using relative path? Thanks, Maya From: Snort-devel <snort-devel-bounces () lists snort org<mailto:snort-devel-bounces () lists snort org>> on behalf of Dorian ROSSE via Snort-devel <snort-devel () lists snort org<mailto:snort-devel () lists snort org>> Reply-To: Dorian ROSSE <dorianbrice () hotmail fr<mailto:dorianbrice () hotmail fr>> Date: Saturday, February 26, 2022 at 6:46 AM To: "Snort-users () lists snort org<mailto:Snort-users () lists snort org>" <snort-users () lists snort org<mailto:snort-users () lists snort org>>, "snort-devel () lists snort org<mailto:snort-devel () lists snort org>" <snort-devel () lists snort org<mailto:snort-devel () lists snort org>>, "snort-sigs () lists snort org<mailto:snort-sigs () lists snort org>" <snort-sigs () lists snort org<mailto:snort-sigs () lists snort org>> Subject: Re: [Snort-devel] i have only 600 rules in my snort3 my rules are located under : '''/usr/local/etc/rules/rules$''' and '''/usr/local/etc/rules/so_rules$''', should i down up in the root etc like thoses : '''/usr/local/etc/rules''' and '''/usr/local/etc/so_rules''' ? thank you in advance for your answer lighted, Regards. Dorian ROSSE. ________________________________ De : Dorian ROSSE Envoyé : vendredi 25 février 2022 16:43 À : Snort-users () lists snort org<mailto:Snort-users () lists snort org> <snort-users () lists snort org<mailto:snort-users () lists snort org>>; snort-devel () lists snort org<mailto:snort-devel () lists snort org> <snort-devel () lists snort org<mailto:snort-devel () lists snort org>>; snort-sigs () lists snort org<mailto:snort-sigs () lists snort org> <snort-sigs () lists snort org<mailto:snort-sigs () lists snort org>> Objet : i have only 600 rules in my snort3 Hello, i have this problem : '''rule counts total rules loaded: 600 builtin rules: 600 option chains: 600 chain headers: 1''' ethtool is again broken then i have go more far, why i have only 600 rules ? i have succesfully installed pulledpork and downloaded the rules, thank you in advance to help myself fully configured snort3, Regards. Dorian ROSSE. _______________________________________________ Snort-users mailing list Snort-users () lists snort org<mailto:Snort-users () lists snort org> Go to this URL to change user options or unsubscribe: https://lists.snort.org/mailman/listinfo/snort-users To unsubscribe, send an email to: snort-users-leave () lists snort org<mailto:snort-users-leave () lists snort org> Please visit http://blog.snort.org to stay current on all the latest Snort news! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists snort org https://lists.snort.org/mailman/listinfo/snort-sigs Please visit http://blog.snort.org for the latest news about Snort! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads">emerging threats</a>!
Current thread:
- i have only 600 rules in my snort3 Dorian ROSSE via Snort-devel (Feb 25)
- Re: i have only 600 rules in my snort3 Dorian ROSSE via Snort-devel (Feb 26)
- <Possible follow-ups>
- Re: i have only 600 rules in my snort3 Maya Dagon (mdagon) via Snort-devel (Feb 28)
- Re: i have only 600 rules in my snort3 Dorian ROSSE via Snort-devel (Feb 28)
- Re: [Snort-users] [Snort-devel] i have only 600 rules in my snort3 Noah Dietrich (Feb 28)
- Re: [Snort-users] [Snort-devel] i have only 600 rules in my snort3 Dorian ROSSE via Snort-sigs (Mar 01)
- Re: [Snort-users] [Snort-devel] i have only 600 rules in my snort3 Noah Dietrich (Mar 02)
- Re: [Snort-users] [Snort-devel] i have only 600 rules in my snort3 Dorian ROSSE via Snort-sigs (Mar 02)
- Re: [Snort-users] [Snort-devel] i have only 600 rules in my snort3 Noah Dietrich (Mar 02)
- Re: [Snort-users] i have only 600 rules in my snort3 Dorian ROSSE via Snort-devel (Mar 02)
- Re: [Snort-users] i have only 600 rules in my snort3 Noah Dietrich (Mar 02)
- Re: [Snort-users] i have only 600 rules in my snort3 Dorian ROSSE via Snort-devel (Mar 02)
- Re: [Snort-users] [Snort-devel] i have only 600 rules in my snort3 Noah Dietrich (Mar 02)
- Re: i have only 600 rules in my snort3 Dorian ROSSE via Snort-devel (Feb 28)