Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Downloads Rules Commented out

From: Joel Esler <jesler () sourcefire com>
Date: Fri, 22 Jun 2012 15:01:20 -0400
On Jun 22, 2012, at 1:17 PM, Stephen Meier <stephencm () cos edu> wrote:


Good morning all,
 
I am sure that this is a total noob questions, but I rebuilt my snort box with the latest and greatest snort version. 
 When I got it all rebuilt, I was only seeing three distinct alerts coming across the console.  School is out right 
now so I didn’t really give it a lot of thought.  But I was doing some networks scans and some pen testing, and no 
other alerts were coming across the console.  So I did some looking and the majority of the rules are commented out.  
Is this the way that it has always been?   Is there some documentation about this that I need to read?


If you look at the ruleset, you will see something in the majority of the rules called "metadata".

We have connectivity-ips, balanced-ips, and security-ips.

By default, if a rule is placed in balanced-ips (in either alert or drop mode) the rule will be un-commented (on).  If 
it's just in security or in no policies, it's commented (off) by default.  If it's in connectivity, it should be in the 
other two as well.

So, balanced is the default.  Everything that is in balanced is on by default.  If you want to use the more stringent 
policy (security-ips) then you should use PulledPork to manage your ruleset.  You can provide PulledPork the option to 
enable this policy simply by using the .conf or a command line argument to the program.

You should use pulledpork anyway, however, since there will be flowbits in some rules that require other rules to be on 
to set the state of a session before a rule takes action.  PulledPork will auto-resolve these flowbits for you and turn 
them on.

Thanks

--
Joel Esler
Senior Research Engineer, VRT
OpenSource Community Manager
Sourcefire


------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!
Previous By Date Next
Previous By Thread Next

Current thread: