Snort mailing list archives
Questions on Snort 3 rulesets
From: Noah Dietrich <noah_dietrich () 86penny org>
Date: Sun, 26 Apr 2020 07:27:10 +0200
1. Are community rulesets included in the registered ruleset?
From the snort FAQ (
https://www.snort.org/faq/what-are-the-differences-in-the-rule-sets), it sounds like the community ruleset is included in the registered ruleset, however the included snort.lua in the registered ruleset looks to reference a seperate community ruleset (--include = 'snort3_community.rules'), i'm not sure if this is just because it's an example or if we need to include it explicitly as well. 2. is pulledpork going to be updated for snort 3? I'm not sure if this is the correct place to ask, but I'm not seeing any mention of snort 3 on the pulled pork github site. 3. Question on Built-in rules What's the difference between the builtin rules in the registered ruleset (./builtin/builtin.rules) and the "enable_builtin_rules = true" IPS option? Is the builtin.rules file just to provide additional information when alerts are being output (when the enable_builtin_rules is enabled)? 4. Configuring which rules are loaded in snort.lua: I see that in snort.lua's IPS section, there are a few ways to configure rules: the rules array (rules = [[ ... ]] ) the include option (include = '..') can the 'include' option be used more than once, or do we have to use the rules array or an include.ips file? 4. Is the sid-msg.map still needed? This file is still included with the snort3 community rules, but not with the registered rules. Is this file still necessary with snort 3 rules? Thanks Noah
_______________________________________________ Snort-devel mailing list Snort-devel () lists snort org https://lists.snort.org/mailman/listinfo/snort-devel Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Questions on Snort 3 rulesets Noah Dietrich (Apr 25)
- Re: Questions on Snort 3 rulesets Russ Combs (rucombs) via Snort-devel (Apr 26)