Questions on Snort 3 rulesets

[Noah Dietrich <noah_dietrich () 86penny org>]

1. Are community rulesets included in the registered ruleset?
> From the snort FAQ (
https://www.snort.org/faq/what-are-the-differences-in-the-rule-sets), it
sounds like the community ruleset is included in the registered ruleset,
however the included snort.lua in the registered ruleset looks to reference
a seperate community ruleset (--include = 'snort3_community.rules'), i'm
not sure if this is just because it's an example or if we need to include
it explicitly as well.

2. is pulledpork going to be updated for snort 3?
I'm not sure if this is the correct place to ask, but I'm not seeing any
mention of snort 3 on the pulled pork github site.

3. Question on Built-in rules
What's the difference between the builtin rules in the registered ruleset
(./builtin/builtin.rules) and the "enable_builtin_rules = true" IPS
option?  Is the builtin.rules file just to provide additional information
when alerts are being output (when the enable_builtin_rules is enabled)?

4. Configuring which rules are loaded in snort.lua:
I see that in snort.lua's IPS section, there are a few ways to configure
rules:

the rules array (rules = [[ ... ]] )
the include option (include = '..')

can the 'include' option be used more than once, or do we have to use the
rules array or an include.ips file?

4. Is the sid-msg.map still needed?
This file is still included with the snort3 community rules, but not with
the registered rules. Is this file still necessary with snort 3 rules?

Thanks
Noah

_______________________________________________
Snort-devel mailing list
Snort-devel () lists snort org
https://lists.snort.org/mailman/listinfo/snort-devel

Please visit http://blog.snort.org for the latest news about Snort!