Snort mailing list archives

Re: open-test.conf

From: waldo kitty <wkitty42 () windstream net>
Date: Tue, 27 Nov 2012 21:35:42 -0500

On 11/27/2012 19:05, JJC wrote:

Inline

Sent from my iPad

On Nov 27, 2012, at 17:51, waldo kitty<wkitty42 () windstream net>  wrote:

On 11/27/2012 15:46, Y M wrote:

The best way to enable rules (uncomment) and keep track of enabled, disabled,
modified, drop sids is to use PulledPork.


or oinkmaster and its config where you can specify enablesid, disablesid or even
modifysid...

don't forget that pulledpork started as oinkmaster once upon a time ;)


The idea maybe, but PP is a complete ground up effort....


ahh... i may have misunderstood what i read on the site or in the history... it 
seemed to say that it was forked from OM and then modified from there... my 
apologies if this is incorrect...

One of the many benefits if using PP is flowbit dependency resolution!


that's what i keep hearing... however, i note that it is one way only... rules 
that set flowbits and are explicitly turned off get turned on instead of the 
rules checking the flowbit getting turned off... that's ok in some cases but not 
good in others... in reality, both should be handled by a human... especially 
since snort reports them and humans are supposedly monitoring snort's log output ;)

With PulledPork, you use policy,


policies are only one aspect... you can still use the above mentioned enablesid,
disablesid and modifysid with pulledpork unless i've misread/misunderstood
something over these last months...




------------------------------------------------------------------------------
Keep yourself connected to Go Parallel: 
INSIGHTS What's next for parallel hardware, programming and related areas?
Interviews and blogs by thought leaders keep you ahead of the curve.
http://goparallel.sourceforge.net
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Current thread:

open-test.conf k vijay sai prashanth (Nov 27)
- <Possible follow-ups>
- Re: open-test.conf Y M (Nov 27)
  - Re: open-test.conf Joel Esler (Nov 27)
  - Re: open-test.conf waldo kitty (Nov 27)
    - Re: open-test.conf JJC (Nov 27)
    - Re: open-test.conf Castle, Shane (Nov 27)
    - Re: open-test.conf waldo kitty (Nov 27)
    - Re: open-test.conf Joel Esler (Nov 27)
    - Re: open-test.conf waldo kitty (Nov 28)
    - Re: open-test.conf Joel Esler (Nov 28)