Snort mailing list archives
Re: oinkmaster and so rules.. FAQ broken?
From: JJC <cummingsj () gmail com>
Date: Wed, 9 Feb 2011 07:38:23 -0700
On Wed, Feb 9, 2011 at 3:01 AM, Michael Scheidell <michael.scheidell () secnap com> wrote:
On 2/8/11 9:40 PM, waldo kitty wrote: one such reason that i'm aware, and i think i have talked with the pulledpork maintainer about it, is the merging of all rules files into one rules file... your serious? if that is the case, then I won't even look at pulled port. we have multiple snorts running in multiple hosts. on one host, one snort_lan.conf could have different rulesets than snort_wan.conf. that makes pulled pork a real pig in a poke. -- Michael Scheidell, CTO o: 561-999-5000 d: 561-948-2259 ISN: 1259*1300| SECNAP Network Security CorporationCertified SNORT Integrator 2008-9 Hot Company Award Winner, World Executive Alliance Five-Star Partner Program 2009, VARBusiness Best in Email Security,2010: Network Products Guide King of Spam Filters, SC Magazine 2008 ________________________________ This email has been scanned and certified safe by SpammerTrap®. For Information please see http://www.secnap.com/products/spammertrap/ ________________________________ ------------------------------------------------------------------------------ The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio XE: Pinpoint memory and threading errors before they happen. Find and fix more than 250 security defects in the development cycle. Locate bottlenecks in serial and parallel code that limit performance. http://p.sf.net/sfu/intel-dev2devfeb _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org
A couple quick notes here for clarity: 1: PP does write to a single unified output file to aide in simplifying snort configuration, the idea is that you use PP to manage the rulestate and inclusion of all rulesets in this file. You can still have multiple snorts running multiple disparate rulesets, again, the rule inclusion / state is simply managed by PP rather than commenting / uncommenting in your master snort.conf. 2: The source rules file name already exists in the data structure at %ruleshash{gid}{sid}{rulesfilenameishere}, this has existed in the data structure for some time now!. As such, and by design, it would be trivial for someone to use this data to write individual rules files back out from PP and this is a slated enhancement to PP. Having said that, I still advocate using a single rules file as it can dramatically reduce the complexity needed to run / tune your snort deployment. This does not apply to gid:3 stub rules though, they will still be written to a single output file. I certainly welcome any contribution to the tool such as the aforementioned :-) ------------------------------------------------------------------------------ The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio XE: Pinpoint memory and threading errors before they happen. Find and fix more than 250 security defects in the development cycle. Locate bottlenecks in serial and parallel code that limit performance. http://p.sf.net/sfu/intel-dev2devfeb _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org
Current thread:
- Re: oinkmaster and so rules.. FAQ broken?, (continued)
- Re: oinkmaster and so rules.. FAQ broken? Randal T. Rioux (Feb 08)
- Re: oinkmaster and so rules.. FAQ broken? waldo kitty (Feb 08)
- Re: oinkmaster and so rules.. FAQ broken? Joel Esler (Feb 08)
- Re: oinkmaster and so rules.. FAQ broken? Randal T. Rioux (Feb 08)
- Re: oinkmaster and so rules.. FAQ broken? Joel Esler (Feb 08)
- Re: oinkmaster and so rules.. FAQ broken? waldo kitty (Feb 08)
- Re: oinkmaster and so rules.. FAQ broken? waldo kitty (Feb 08)
- Re: oinkmaster and so rules.. FAQ broken? Randal T. Rioux (Feb 08)
- Re: oinkmaster and so rules.. FAQ broken? Edward Fjellskål (Feb 09)
- Re: oinkmaster and so rules.. FAQ broken? Michael Scheidell (Feb 09)
- Re: oinkmaster and so rules.. FAQ broken? JJC (Feb 09)
- Re: oinkmaster and so rules.. FAQ broken? Michael Scheidell (Feb 09)
- Re: oinkmaster and so rules.. FAQ broken? Alan Ptak (Feb 09)
- Re: oinkmaster and so rules.. FAQ broken? Martin Holste (Feb 09)
- Re: oinkmaster and so rules.. FAQ broken? Michael Scheidell (Feb 09)
- Re: oinkmaster and so rules.. FAQ broken? JJC (Feb 09)
- Re: oinkmaster and so rules.. FAQ broken? Martin Holste (Feb 09)
- Re: oinkmaster and so rules.. FAQ broken? Alan Ptak (Feb 08)
- Re: oinkmaster and so rules.. FAQ broken? waldo kitty (Feb 08)