Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: open-test.conf

From: Joel Esler <jesler () sourcefire com>
Date: Tue, 27 Nov 2012 17:54:11 -0500
I don't have anything to add here really, as Y M is right.

On Nov 27, 2012, at 3:46 PM, Y M <snort () outlook com> wrote:


The best way to enable rules (uncomment) and keep track of enabled, disabled, modified, drop sids is to use 
PulledPork. With PulledPork, you use policy, which PulledPork use to enable rules based on the policy metadata 
defined in each rule.
The policies available are:
1. Connectivity.
2. Balanced.
3. Security.
4. "no policy". Means no policy is defined for a specific rule.

The VRT team suggests starting with balanced policy. These have been explained at snort's blog (not VRT blog). Also, 
in the documentation of PulledPork they are briefly explained. I would also suggest searching these to grasp a better 
overall understanding.


Balanced is our default.  We recommend starting there and moving to Security-over-connectivity for the most secure 
network.  These policies are going to be reshaped somewhat in the coming months to make them easier to understand.


The reason the rules are commented "I guess", and which is a good practice in my opinion, is that each environment 
you deploy snort in is unique and require understanding of several factors such your network traffic, systems 
deployed, response methodology, your sensors location in the network and other factors as well.


Correct.  Not everything applies to every network.  We try to keep things that are important and catch things in the 
wild and widely deployed in balanced.  As I said, this will change some what.


I don't use the open-test.cont file, never did. I use the supplied snort.conf file and apply my customization to it.


I don't know what the open-test.conf file is, but yes, we recommend you use the snort.conf examples found here:

http://www.snort.org/vrt/snort-conf-configurations/

--
Joel Esler
Senior Research Engineer, VRT
OpenSource Community Manager
Sourcefire


------------------------------------------------------------------------------
Keep yourself connected to Go Parallel: 
DESIGN Expert tips on starting your parallel project right.
http://goparallel.sourceforge.net
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: