Re: Snort rules

["Joel Esler (jesler)" <jesler () cisco com>]

The “on off” state, by default, so equate, roughly, to balanced.  You have to adjust your posture from there.


--
Joel Esler
Manager, Talos Group




> On Jun 14, 2016, at 11:09 AM, Y M <snort () outlook com> wrote:
>
> Yes, as far as I understand. In a very abstract form, the policy is expressed in the "metadata" keyword within each 
> rule using definitions such as balanced-ips, security-ips . This is how PulledPork can tell which rules to enable 
> based on the selected policy. There is a one-to-one mapping of policies between the ruleset and PulledPork (not sure 
> about the max-ips through).
>
> YM
>
> Sent from Mobile
>
> _____________________________
> From: Dan Roberts <danroberts2604 () gmail com <mailto:danroberts2604 () gmail com>>
> Sent: Tuesday, June 14, 2016 5:24 PM
> Subject: Re: [Snort-users] Snort rules
> To: Y M <snort () outlook com <mailto:snort () outlook com>>
>
>
> Thanks for the link :-)
>
> I knew that with some dedicated tools (like Pulledpork) you can generate your set of rules based on: connectivity, 
> balanced or security profile.
>
> Does it mean that the package delivered by default by Snort for the registered users (snortrules-snapshot-xxx.tar.gz) 
> provides the same set of rules (known as "Balanced Base Policy") as the balanced-one built by Pulledpork ?
>
>
>
> On Tue, Jun 14, 2016 at 3:00 PM, Y M <snort () outlook com <mailto:snort () outlook com>> wrote:
> Check this link: http://blog.snort.org/2013/10/snort-vrt-default-ruleset-rebalancing.html 
> <http://blog.snort.org/2013/10/snort-vrt-default-ruleset-rebalancing.html>
>
> YM
>
> Sent from Mobile
>
>
>
>
> On Tue, Jun 14, 2016 at 3:55 PM +0300, "Dan Roberts" <danroberts2604 () gmail com <mailto:danroberts2604 () gmail 
> com>> wrote:
>
> Hi all,
>
> Does someone know what decides which rules are commented out (#) in the *.rules files contained in he 
> snortrules-snapshot-29xx.tar.gz package?
>
> Are they outdated ? So why do we keep them in the files ?
>
> Thanks
>
> Dan
>
>
>
>
>
>
> ------------------------------------------------------------------------------
> What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic
> patterns at an interface-level. Reveals which users, apps, and protocols are
> consuming the most bandwidth. Provides multi-vendor support for NetFlow,
> J-Flow, sFlow and other flows. Make informed decisions using capacity
> planning reports. 
> https://ad.doubleclick.net/ddm/clk/305295220;132659582;e_______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest Snort news!

Attachment: signature.asc
Description: Message signed with OpenPGP using GPGMail

------------------------------------------------------------------------------
What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic
patterns at an interface-level. Reveals which users, apps, and protocols are 
consuming the most bandwidth. Provides multi-vendor support for NetFlow, 
J-Flow, sFlow and other flows. Make informed decisions using capacity planning
reports. http://pubads.g.doubleclick.net/gampad/clk?id=1444514421&iu=/41014381

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!