Snort mailing list archives
Re: confused on what to do with the ruleset
From: "Carney, Megan" <Megan.Carney () selectcomfort com>
Date: Tue, 20 Nov 2012 16:03:16 +0000
You can certainly untar the rules file over the rules directory that snort is looking at but there are a couple reasons this is a probably a bad idea. 1) Sometimes files are added to or removed from the tarball. If you are not using some sort of rules manager you will need to make sure that you reflect the changes in the list of filenames in your snort.conf - otherwise you will end up with a bunch of rules file that are sitting there unused or a bunch of entries in your snort.conf for files that are no longer there. 2) You will probably find that you need to disable or tune some of the rules in snort's subscription. Untarring the new rules over your rules directory will erase any modifications you make. Again, a rules manager will help you keep track of these sorts of changes. 3) Rules managers can automatically back up the existing rule set before making changes in case you need to roll back. Of course, this is something you can do yourself but it will be easier to manage with an existing tool. FWIW, if your concern is you don't want to allow your snort machine to make a connection to download a rules file, I imagine there is a way to tell pulledpork to use a local file for the rules tarball. I know oinkmaster has a way to do this. -----Original Message----- From: MLP SCADA [mailto:MLPSCADA () ci anchorage ak us] Sent: Monday, November 19, 2012 7:59 PM To: 'snort-users () lists sourceforge net' Subject: Re: [Snort-users] confused on what to do with the ruleset So I've bought two business subscriptions to the ruleset. Now what am I actually supposed to do with them? I understand that I'm supposed to use pulledpork, but the network being monitored have no (known) outside connections, so can't do that. I'm looking for something like 'untar new ruleset here', e.g. cd /etc/snort/rules; tar xvzpf snortrules-snapshot.tar.gz I've done my best trying to read the instructions and do the google thing, but I'm still not getting it. https://www.snort.org/assets/166/snort_manual.pdf tells me all about how to write rules and all the details, but not what to do with a new downloaded ruleset. The various howtos are all inconsistent; probably very useful for someone that already knows what they're doing. ------------------------------------------------------------------------------ Monitor your physical, virtual and cloud infrastructure from a single web console. Get in-depth insight into apps, servers, databases, vmware, SAP, cloud infrastructure, etc. Download 30-day Free Trial. Pricing starts from $795 for 25 servers or applications! http://p.sf.net/sfu/zoho_dev2dev_nov _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news! ------------------------------------------------------------------------------ Monitor your physical, virtual and cloud infrastructure from a single web console. Get in-depth insight into apps, servers, databases, vmware, SAP, cloud infrastructure, etc. Download 30-day Free Trial. Pricing starts from $795 for 25 servers or applications! http://p.sf.net/sfu/zoho_dev2dev_nov _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Re: confused on what to do with the ruleset MLP SCADA (Nov 19)
- Re: confused on what to do with the ruleset Carney, Megan (Nov 20)