Re: Problems disabling rule categories with PulledPork

[Joel Esler <jesler () sourcefire com>]

You can disable a rule category with a pcre, something like "ET FTP" in the
disablesid.conf

J

On Tue, Mar 8, 2011 at 4:08 PM, Mike Kun <mkun () akamai com> wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> That's somewhat helpful, but I'm not sure I'm clear on how PulledPork
> understands the difference between VRT and ETPro rule files.
> For example, VRT and ETPro have a rule file called "ftp". If I disable
> ftp rules in the diablesid file, how does Pulledpork know which to disable?
> I assume it disables both, but I'm hoping there's a way to only disable
> the ETpro rule file and leave the (tuned) VRT rules in place.
>
> - -Mike
>
>
> On 03/08/2011 04:03 PM, Joel Esler wrote:
> > At the top of the pulledpork.conf file, there is the rule_url
> specifications.
> >   To get remove a ruleset completely and quickly, comment out the
> rule_url you
> > don't want to download.
> >
> > After you want to add it back in, check out the disablesid.conf file, and
> the
> > syntax that is in there for disabling rule files individually.
> >
> > Joel
> >
> > On Tue, Mar 8, 2011 at 3:20 PM, Mike Kun <mkun () akamai com
> > <mailto:mkun () akamai com>> wrote:
> >
> > We're running pulledpork for rulemanagemnts and use it to pull down VRT
> > and ETPro rulesets.
> > We'd like to be able to disable All the ETPro rules and enable them
> > slowly for tuning purposes.
> > Is there any way to do this without disabling the VRT rules as well.
> > For example, if I add "ftp" to the disablesid file, that should disable
> > all FTP rules for both VRT and ETPro.
> > Suppose I only wanted to disable the ETPro Ftp rules, how could that be
> > handled?
> >
> > -Mike
>
> -
>
> ------------------------------------------------------------------------------
> What You Don't Know About Data Connectivity CAN Hurt You
> This paper provides an overview of data connectivity, details
> its effect on application quality, and explores various alternative
> solutions. http://p.sf.net/sfu/progress-d2d
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net <mailto:
> Snort-users () lists sourceforge net>
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
>
>
>
> > --
> > Joel Esler | http://blog.snort.org | http://vrt-blog.snort.org |
> > http://blog.clamav.net
>
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.10 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>
> iQEcBAEBAgAGBQJNdprJAAoJEMhWEt1OJPG/tToIAMUF0y5+VZ409ANWSAJBWY3B
> gg9t/D0QN17uHq9WqTw05wVVL0ZkWOJu3+wO5iQi3JlQVZXcMpv5F6mcfNothbtE
> 5DiqDBDdiHkvuBRiLjxaXZz/Xifn4l5QImdF18LORLIEY6ml+IWJdky7BytMAOH2
> eEtNY7xn8+lbk8uE/+iu4AmIi3Ar/GVLy+MU2W5eYCkT5b0BPruVURHKHCRU6m42
> ZeSnq+DapuvYZ57xVtw4minNPoq510Do7hs+x0YHl5AwfvWn9a/8B6wrPYWEN58q
> MDnvaqpgDGqxaRcHfFgFTvYaDcSodp+lFxp+zSr+86M8M0GioGpV12ZAt3/sR6I=
> =vsk8
> -----END PGP SIGNATURE-----



-- 
Joel Esler | http://blog.snort.org | http://vrt-blog.snort.org |
http://blog.clamav.net

------------------------------------------------------------------------------
What You Don't Know About Data Connectivity CAN Hurt You
This paper provides an overview of data connectivity, details
its effect on application quality, and explores various alternative
solutions. http://p.sf.net/sfu/progress-d2d

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users