Snort mailing list archives
Re: Problems disabling rule categories with PulledPork
From: Martin Holste <mcholste () gmail com>
Date: Tue, 8 Mar 2011 15:24:30 -0600
Ah, very good, I see that was added in 0.5.0. I had ported my config from the previous version and did not see that option. On Tue, Mar 8, 2011 at 3:20 PM, Jason Wallace <jason.r.wallace () gmail com> wrote:
The enable/disable order is configurable. I think it is near the bottom of the config file. thx, Wally On Tue, Mar 8, 2011 at 4:09 PM, Martin Holste <mcholste () gmail com> wrote:We're running pulledpork for rulemanagemnts and use it to pull down VRT and ETPro rulesets. We'd like to be able to disable All the ETPro rules and enable them slowly for tuning purposes.You should have two separate pulled pork configs, one for VRT, one for ETPRO. In the ETPRO config, refer to a disabled_sids.conf which contains pcre:ETPRO. That will disable all ETPRO by default. Unfortunately, pulledpork is really bad at whitelisting because enabling occurs before disabling, so it's really tricky to disable all ETPRO except for FTP. There's probably a regexp that could match all ETPRO that does not contain FTP, but I was having troubles getting it to work. ------------------------------------------------------------------------------ What You Don't Know About Data Connectivity CAN Hurt You This paper provides an overview of data connectivity, details its effect on application quality, and explores various alternative solutions. http://p.sf.net/sfu/progress-d2d _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------------------------------ What You Don't Know About Data Connectivity CAN Hurt You This paper provides an overview of data connectivity, details its effect on application quality, and explores various alternative solutions. http://p.sf.net/sfu/progress-d2d _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Problems disabling rule categories with PulledPork Mike Kun (Mar 08)
- Re: Problems disabling rule categories with PulledPork Joel Esler (Mar 08)
- Re: Problems disabling rule categories with PulledPork Mike Kun (Mar 08)
- Re: Problems disabling rule categories with PulledPork Joel Esler (Mar 08)
- Re: Problems disabling rule categories with PulledPork Mike Kun (Mar 08)
- Re: Problems disabling rule categories with PulledPork Martin Holste (Mar 08)
- Re: Problems disabling rule categories with PulledPork Jason Wallace (Mar 08)
- Re: Problems disabling rule categories with PulledPork Martin Holste (Mar 08)
- Re: Problems disabling rule categories with PulledPork Jason Wallace (Mar 08)
- Re: Problems disabling rule categories with PulledPork Randal T. Rioux (Mar 08)
- Re: Problems disabling rule categories with PulledPork Joel Esler (Mar 08)