Snort mailing list archives

Re: Odp: Re: PulledPork and empty Emerging ruleset

From: <snort () outlook com>
Date: Sat, 30 May 2015 20:46:20 +0000

I did NOT say the PulledPork can't generate ET rules. If you look back at my previous answer all I said was that ET
rules do NOT include the required metadata to classify rules based on policy.
Also like I said earlier, you can use the enablesid.conf to enable what you choose from ET. In fact, if you open
enablesid.conf, you will see an example of how to enable ET rules.

Sent from Mobile

On Sat, May 30, 2015 at 1:37 PM -0700, "Robert Lasota" <wrkilu () wp pl> wrote:
Dnia Sobota, 30 Maja 2015 13:45 Y M <snort () outlook com> napisał(a)

ET rules do not include the metadata required to designate a rule to a rules policy. Check the metadata keyword in a
VRT/TALOS rule to see how. PulledPork uses this metadata to match the policy specified in command line with rules.

Use ET categories in enablesid.conf to enable by category.

Sent from Mobile

The main reason I used PulledPork is ability to choose ruleset which it generates (by setting -I parameter so security,
balanced or connectivity). Then I know why some rules are enabled and why others are commented out in result files. But
when you tell me that Pulledpork can't generates Emerging rules in the same way as Snort's rules, so how I should
decide which rules from Emerging should be enabled and which should be commented out ?

On Sat, May 30, 2015 at 4:39 AM -0700, "Robert Lasota" <wrkilu () wp pl<mailto:wrkilu () wp pl>> wrote:

Hi,

I use "-I security" during generating rules, I use also Snort and Emerging (opensource) rules. And in result I get many
VRT rules and unfortunately many empty ET-emerging files with rules. So my question is: is it normal that "-I security"
cause that ET are not use ? Second question: should I use some workaround to however enable ET-emerging rules ? and
possibly how ?

Thanks

Robert

------------------------------------------------------------------------------

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Current thread:

Odp: Re: PulledPork and empty Emerging ruleset Robert Lasota (May 30)
- Re: Odp: Re: PulledPork and empty Emerging ruleset snort (May 30)
- <Possible follow-ups>
- Odp: Re: PulledPork and empty Emerging ruleset Robert Lasota (Jun 02)