Re: confused on what to do with the ruleset

["Carney, Megan" <Megan.Carney () selectcomfort com>]

You can certainly untar the rules file over the rules directory that snort is looking at but there are a couple reasons 
this is a probably a bad idea.

1) Sometimes files are added to or removed from the tarball.  If you are not using some sort of rules manager you will 
need to make sure that you reflect the changes in the list of filenames in your snort.conf - otherwise you will end up 
with a bunch of rules file that are sitting there unused or a bunch of entries in your snort.conf for files that are no 
longer there.

2) You will probably find that you need to disable or tune some of the rules in snort's subscription.  Untarring the 
new rules over your rules directory will erase any modifications you make.  Again, a rules manager will help you keep 
track of these sorts of changes.

3) Rules managers can automatically back up the existing rule set before making changes in case you need to roll back.  
Of course, this is something you can do yourself but it will be easier to manage with an existing tool.

FWIW, if your concern is you don't want to allow your snort machine to make a connection to download a rules file, I 
imagine there is a way to tell pulledpork to use a local file for the rules tarball.  I know oinkmaster has a way to do 
this.

-----Original Message-----
From: MLP SCADA [mailto:MLPSCADA () ci anchorage ak us] 
Sent: Monday, November 19, 2012 7:59 PM
To: 'snort-users () lists sourceforge net'
Subject: Re: [Snort-users] confused on what to do with the ruleset

So I've bought two business subscriptions to the ruleset.  Now what am I actually supposed to do with them?

I understand that I'm supposed to use pulledpork, but the network being monitored have no (known) outside connections, 
so can't do that.

I'm looking for something like 'untar new ruleset here', e.g. cd /etc/snort/rules; tar xvzpf snortrules-snapshot.tar.gz

I've done my best trying to read the instructions and do the google thing, but I'm still not getting it.

https://www.snort.org/assets/166/snort_manual.pdf 

tells me all about how to write rules and all the details, but not what to do with a new downloaded ruleset.

The various howtos are all inconsistent; probably very useful for someone that already knows what they're doing.



------------------------------------------------------------------------------
Monitor your physical, virtual and cloud infrastructure from a single web console. Get in-depth insight into apps, 
servers, databases, vmware, SAP, cloud infrastructure, etc. Download 30-day Free Trial.
Pricing starts from $795 for 25 servers or applications!
http://p.sf.net/sfu/zoho_dev2dev_nov
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

------------------------------------------------------------------------------
Monitor your physical, virtual and cloud infrastructure from a single
web console. Get in-depth insight into apps, servers, databases, vmware,
SAP, cloud infrastructure, etc. Download 30-day Free Trial.
Pricing starts from $795 for 25 servers or applications!
http://p.sf.net/sfu/zoho_dev2dev_nov
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!