Snort mailing list archives
Re: Downloads Rules Commented out
From: Joel Esler <jesler () sourcefire com>
Date: Fri, 22 Jun 2012 15:01:20 -0400
On Jun 22, 2012, at 1:17 PM, Stephen Meier <stephencm () cos edu> wrote:
Good morning all, I am sure that this is a total noob questions, but I rebuilt my snort box with the latest and greatest snort version. When I got it all rebuilt, I was only seeing three distinct alerts coming across the console. School is out right now so I didn’t really give it a lot of thought. But I was doing some networks scans and some pen testing, and no other alerts were coming across the console. So I did some looking and the majority of the rules are commented out. Is this the way that it has always been? Is there some documentation about this that I need to read?
If you look at the ruleset, you will see something in the majority of the rules called "metadata". We have connectivity-ips, balanced-ips, and security-ips. By default, if a rule is placed in balanced-ips (in either alert or drop mode) the rule will be un-commented (on). If it's just in security or in no policies, it's commented (off) by default. If it's in connectivity, it should be in the other two as well. So, balanced is the default. Everything that is in balanced is on by default. If you want to use the more stringent policy (security-ips) then you should use PulledPork to manage your ruleset. You can provide PulledPork the option to enable this policy simply by using the .conf or a command line argument to the program. You should use pulledpork anyway, however, since there will be flowbits in some rules that require other rules to be on to set the state of a session before a rule takes action. PulledPork will auto-resolve these flowbits for you and turn them on. Thanks -- Joel Esler Senior Research Engineer, VRT OpenSource Community Manager Sourcefire
------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Downloads Rules Commented out Stephen Meier (Jun 22)
- Re: Downloads Rules Commented out Joel Esler (Jun 22)