Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: quick question about snort.conf

From: Joel Esler <jesler () sourcefire com>
Date: Tue, 23 Oct 2012 19:04:28 -0400
Exactly correct.  

Sent from my iPhone

On Oct 23, 2012, at 6:06 PM, Jeremy Hoel <jthoel () gmail com> wrote:


The rules file you get still has all the rules in the little groups.
That's still the official way.

if you want better/easier rule management then you use
pulledpork/oinkmaster/etc. And with pulledpork, one of it's options is
to output the single snort.rules file. You don't have to do that, you
can still have the individual files, but the single file is the
default.

So as far as Snort is concerned, it's default way is to use the
individual files, but most of the users will probably migrate to
better management with the single rules file.

On Tue, Oct 23, 2012 at 9:59 PM, AllowOverride <allowoverride () gmail com> wrote:

i noticed today that the snort.conf from:

http://labs.snort.org/snort/2931/snort.conf

still includes the "include" rules.

from what i have been told, for IDS in my case, I need to # out the
include statements, and only use the snort.rules likes this:

include $RULE_PATH/snort.rules

so to wrap up: when i use the snort.rules listed above snort works. if i
do NOT include the path above it will not. 0 bytes snort.log is my
prove.

i am curious as to why the downloadable snort.conf is still including
the paths below, not #'d out, and still available??

shouldn't they be removed since snort.rules is the supported way
officially?

just wondering, i appreciate your comments.



wrong way:

# site specific rules
include $RULE_PATH/local.rules

include $RULE_PATH/app-detect.rules
include $RULE_PATH/attack-responses.rules
....

right way:

# site specific rules
#include $RULE_PATH/local.rules
include $RULE_PATH/snort.rules

#include $RULE_PATH/app-detect.rules
#include $RULE_PATH/attack-responses.rules
....


correct?

PS. base1.4.5, barnyard2, pulledpork, snort work fine :)

thanks!




------------------------------------------------------------------------------
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_sfd2d_oct
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!


------------------------------------------------------------------------------
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_sfd2d_oct
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!


------------------------------------------------------------------------------
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_sfd2d_oct
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: