Snort mailing list archives
Re: Rules managing
From: Y M <snort () outlook com>
Date: Tue, 26 May 2015 14:56:52 +0000
Comments below. YM Date: Tue, 26 May 2015 15:52:15 +0200 From: wrkilu () wp pl To: snort-users () lists sourceforge net Subject: [Snort-users] Rules managing Hi, We want to use rules: snortrules-snapshot, community-rules and emerging.rules. Now.. we want use also PulledPork to preparing them (or could be Oinkmaster). Moreover I see snort and emerging have categories e.g. imap, smtp, malware, dos and so on. But community doesn't have - just one file. # Community rules are already included in the snortrules-snaphsot (registered or subscription), hence they are already categorized. My questions are: - how to split custom rules into categories (by apps) like snort and emerging there are.. ? # This can be done when your write your own rules in the "msg" option. For example MALWARE-CNC or MALWARE-OTHER. If you take a look at PulledPork enablesid.conf, for example, you can see how rules can be enabled by category. I hope this is what you are referring to by "categories". - why so many of rules (in every of those groups) are commented out ? I know about three groups: Connectivity, Balanced, Security but when I use this approach I loose apps categorization approach (I think...) # I am not sure I understand what you mean. Is it the separate rules files (malware-cnc.rules, etc.) that you lose? or is it something else? - how to bring together these two approachs: categorization and apps ? because the best would be if we can first grab rules from Security group, and then grab from it rules just for malware e.g. and voip. # PulledPork can do this as far as I recall. You specify the policy as "Security" and tell PulledPork to keep the rules in their respective rules files - or category, if I understand you correctly - instead of putting the all rules in one file. Thanks in advance Robert ------------------------------------------------------------------------------ One dashboard for servers and applications across Physical-Virtual-Cloud Widest out-of-the-box monitoring support with 50+ applications Performance metrics, stats and reports that give you Actionable Insights Deep dive visibility with transaction tracing using APM Insight. http://ad.doubleclick.net/ddm/clk/290420510;117567292;y _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------ One dashboard for servers and applications across Physical-Virtual-Cloud Widest out-of-the-box monitoring support with 50+ applications Performance metrics, stats and reports that give you Actionable Insights Deep dive visibility with transaction tracing using APM Insight. http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Rules managing Robert Lasota (May 26)
- Re: Rules managing Y M (May 26)