Re: pulledpork re-organizing rules?

[JJC <cummingsj () gmail com>]

A bit more inline....

On Tue, Aug 10, 2010 at 12:31 PM, Joel Esler <jesler () sourcefire com> wrote:

> On Aug 10, 2010, at 12:06 PM, Billy Marshall wrote:
>
> Hi all,
> I noticed that Pulled_Pork v0.4.2 is writing the rules to two large files
> now so there are only 2 rule files;
> snort.rules and so_rules.rules
>
>
> Correct.
>
>
> Doesn't this defeat the organization of the rules that snort.org has set
> forth?
>
>
> The rules are arranged into categories, you can arrange them however you
> want.  PulledPork does it in two files.
This makes your snort.conf configuration more simple.  Pulledpork still
allows you to categorically manage rules... using the ignore directive in
the master configuration file, as well as being able to globaly enable /
disable / drop based on category (see the example config files for each
catetory for more information,.


> Why is a third party support application re-structuring rule sets and not
> conforming to snort?
> Have I misunderstood something?
>
>
> Yes.  Management of rules is then turned over to pulledpork and you cease
> to manage your rules manually.
The idea is to manage the rules with PulledPork, snort uses them, it does
not manage them.. a simple example is that you don't want to use smtp.rules
anymore... instead of removing the .rules file and commenting out in
snort.conf.. simply specify this in your pulledpork.conf that you want to
ignore or disable this category then HUP your snort... voila, it's done.


> Is snort restructuring its configuration file?
>
>
>
>
> With pulledpork:
> I can not exclude a rule set with the snort.conf without running
> pulledpork.
>
>
> Correct.  You can't make changes to a rule set with using the thing that
> manages the rules.
>
>
> The files snort.rules and so_rules.rules are not in the snort.conf file. If
> I add them (logically) I will have duplicate rules unless I comment out the
> rules I want to keep that are organized. However, when I really do add the
> files, snort.rules and so_rules.rules , Snort does not initialize.
>
>
> Well, that's a different problem, and it seems like we need to fix that.
>
>
> Furthermore; logically, when I do update with pulledpork and if I was
> unaware of the changes I would never get the new rules because they are
> stuffed in files that are never looked at by the snort engine without adding
> them to the snort.conf file.
>
>
> That's why pulledpork logs all of it's changes in a file called
> sid-changes.log
>
> This is confusing, poses many future issues, and forces snort
> being dependent on pulledpork.
>
>
> It keeps you from having to make changes in multiple places.  Now you make
> changes in one place (pulledpork) and let pulledpork handle the rest.
>
> If I remove all rules from the rules directory and run pulled pork it only
> creates the afore mentioned files and none of the others.
>
>
> Correct.  You'll need to add them into the snort.conf
And of course remove the others from snort.conf



> ------------------------------------------------------------------------------
> This SF.net email is sponsored by
>
> Make an app they can't live without
> Enter the BlackBerry Developer Challenge
> http://p.sf.net/sfu/RIM-dev2dev
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------------------------------
This SF.net email is sponsored by 

Make an app they can't live without
Enter the BlackBerry Developer Challenge
http://p.sf.net/sfu/RIM-dev2dev

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users