Snort mailing list archives
Re: Odp: Re: PulledPork and empty Emerging ruleset
From: <snort () outlook com>
Date: Sat, 30 May 2015 20:46:20 +0000
I did NOT say the PulledPork can't generate ET rules. If you look back at my previous answer all I said was that ET rules do NOT include the required metadata to classify rules based on policy. Also like I said earlier, you can use the enablesid.conf to enable what you choose from ET. In fact, if you open enablesid.conf, you will see an example of how to enable ET rules. Sent from Mobile On Sat, May 30, 2015 at 1:37 PM -0700, "Robert Lasota" <wrkilu () wp pl> wrote: Dnia Sobota, 30 Maja 2015 13:45 Y M <snort () outlook com> napisaĆ(a) ET rules do not include the metadata required to designate a rule to a rules policy. Check the metadata keyword in a VRT/TALOS rule to see how. PulledPork uses this metadata to match the policy specified in command line with rules. Use ET categories in enablesid.conf to enable by category. Sent from Mobile The main reason I used PulledPork is ability to choose ruleset which it generates (by setting -I parameter so security, balanced or connectivity). Then I know why some rules are enabled and why others are commented out in result files. But when you tell me that Pulledpork can't generates Emerging rules in the same way as Snort's rules, so how I should decide which rules from Emerging should be enabled and which should be commented out ? On Sat, May 30, 2015 at 4:39 AM -0700, "Robert Lasota" <wrkilu () wp pl<mailto:wrkilu () wp pl>> wrote: Hi, I use "-I security" during generating rules, I use also Snort and Emerging (opensource) rules. And in result I get many VRT rules and unfortunately many empty ET-emerging files with rules. So my question is: is it normal that "-I security" cause that ET are not use ? Second question: should I use some workaround to however enable ET-emerging rules ? and possibly how ? Thanks Robert
------------------------------------------------------------------------------
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Odp: Re: PulledPork and empty Emerging ruleset Robert Lasota (May 30)
- Re: Odp: Re: PulledPork and empty Emerging ruleset snort (May 30)
- <Possible follow-ups>
- Odp: Re: PulledPork and empty Emerging ruleset Robert Lasota (Jun 02)