Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Rules managing

From: Y M <snort () outlook com>
Date: Tue, 26 May 2015 14:56:52 +0000
Comments below.
YM
Date: Tue, 26 May 2015 15:52:15 +0200
From: wrkilu () wp pl
To: snort-users () lists sourceforge net
Subject: [Snort-users] Rules managing


Hi,

We want to use rules:  snortrules-snapshot, community-rules and emerging.rules. Now.. we want use also PulledPork to 
preparing them (or could be Oinkmaster). Moreover I see snort and emerging have categories e.g. imap, smtp, malware, 
dos and so on. But community doesn't have - just one file.


# Community rules are already included in the snortrules-snaphsot (registered or subscription), hence they are already 
categorized.


 

My questions are:

- how to split custom rules into categories (by apps) like snort and emerging there are.. ?


# This can be done when your write your own rules in the "msg" option. For example MALWARE-CNC or MALWARE-OTHER. If you 
take a look at PulledPork enablesid.conf, for example, you can see how rules can be enabled by category. I hope this is 
what you are referring to by "categories".




- why so many of rules (in every of those groups) are commented out ? I know about three groups: Connectivity, 
Balanced, Security but when I use this approach I loose apps categorization approach (I think...)


# I am not sure I understand what you mean. Is it the separate rules files (malware-cnc.rules, etc.) that you lose? or 
is it something else?




- how to bring together these two approachs: categorization and apps ? because the best would be if we can first grab 
rules from Security group, and then grab from it rules just for malware e.g. and voip.


# PulledPork can do this as far as I recall. You specify the policy as "Security" and tell PulledPork to keep the rules 
in their respective rules files - or category, if I understand you correctly - instead of putting the all rules in one 
file.


 

Thanks in advance

Robert

 

 

 






------------------------------------------------------------------------------
One dashboard for servers and applications across Physical-Virtual-Cloud 
Widest out-of-the-box monitoring support with 50+ applications
Performance metrics, stats and reports that give you Actionable Insights
Deep dive visibility with transaction tracing using APM Insight.
http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!                                        
  
------------------------------------------------------------------------------
One dashboard for servers and applications across Physical-Virtual-Cloud 
Widest out-of-the-box monitoring support with 50+ applications
Performance metrics, stats and reports that give you Actionable Insights
Deep dive visibility with transaction tracing using APM Insight.
http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: