Snort mailing list archives
Re: [Snort-users] i have only 600 rules in my snort3
From: Noah Dietrich <noah_dietrich () 86penny org>
Date: Wed, 2 Mar 2022 09:19:48 -1000
Hello,
From my earlier email, this is probably related to the ips_policy in your
pulledpork.conf file. are you saying that your pulledpork.rules file has 15000 rules, but snort only shows 600 rules when loading? On Wed, Mar 2, 2022 at 9:10 AM Dorian ROSSE <dorianbrice () hotmail fr> wrote:
Pulled pork has downloaded around 15000 rules but snort3 use 600 rules, Thanks you in advance to explain to myself how to use all the rules, Regards. Dorian Rosse. ------------------------------ *From:* Noah Dietrich <noah_dietrich () 86penny org> *Sent:* Wednesday, March 2, 2022 8:05:21 PM *To:* Dorian ROSSE <dorianbrice () hotmail fr> *Cc:* Maya Dagon (mdagon) <mdagon () cisco com>; Snort-users () lists snort org <snort-users () lists snort org>; snort-devel () lists snort org < snort-devel () lists snort org>; snort-sigs () lists snort org < snort-sigs () lists snort org> *Subject:* Re: [Snort-users] [Snort-devel] i have only 600 rules in my snort3 Hello. I do not understand your question. can you please clarify the issue you are having? On Wed, Mar 2, 2022 at 9:03 AM Dorian ROSSE <dorianbrice () hotmail fr> wrote: I have the truth, Pulled pork download more rules than snort3 use, Thanks you in advance to help myself use all the rules, Regards. Dorian Rosse. ------------------------------ *From:* Noah Dietrich <noah_dietrich () 86penny org> *Sent:* Wednesday, March 2, 2022 8:01:55 PM *To:* Dorian ROSSE <dorianbrice () hotmail fr> *Cc:* Maya Dagon (mdagon) <mdagon () cisco com>; Snort-users () lists snort org <snort-users () lists snort org>; snort-devel () lists snort org < snort-devel () lists snort org>; snort-sigs () lists snort org < snort-sigs () lists snort org> *Subject:* Re: [Snort-users] [Snort-devel] i have only 600 rules in my snort3 Hello, I do not think that is the issue here. If you have 600 rules in your rules file, then those rules are being downloaded (the local.rules only has two rules). Please see my previous email regarding modifying your pulledpork.conf file if you want to enable more rules. Noah On Mon, Feb 28, 2022 at 11:33 PM Dorian ROSSE <dorianbrice () hotmail fr> wrote: Dear Noah, The error is too here : In your configuration of the snort configuration you do read only the rules local, Thanks you in advance to explain how to read all the folders of rules, Regards. Dorian Rosse. ------------------------------ *From:* Noah Dietrich <noah_dietrich () 86penny org> *Sent:* Monday, February 28, 2022 10:18:01 PM *To:* Dorian ROSSE <dorianbrice () hotmail fr> *Cc:* Maya Dagon (mdagon) <mdagon () cisco com>; Snort-users () lists snort org <snort-users () lists snort org>; snort-devel () lists snort org < snort-devel () lists snort org>; snort-sigs () lists snort org < snort-sigs () lists snort org> *Subject:* Re: [Snort-users] [Snort-devel] i have only 600 rules in my snort3 Hello, I think the reason you only have 600 rules is because of the "ips_policy" setting in your pulledpork.conf file (I assume you're using PulledPork3, but it's similar for PP2). This setting determines how many rules from the downloaded ruleset are enabled, based on your appetite for risk. From the pulledpork.conf file: # Enable / Disable rules based on the level of functionality/security you want. # must be one of: *connectivity, balanced, security, max-detect, none* # default is connectivity. Will not work with community ruleset. # https://www.snort.org/faq/why-are-rules-commented-out-by-default *ips_policy = balanced* If you want more rules enabled from the ruleset, choose *security *or * max-detect* for this setting and re-run pulledpork. Noah On Mon, Feb 28, 2022 at 8:35 AM Dorian ROSSE via Snort-users < snort-users () lists snort org> wrote: I use the configuration edited from the pdf created by Noah Dietrich for snort3 on Ubuntu 18 & 20, By the begun I have 600 rules like the system doesn't read rules before I downloaded the rules I have ever 600 rules, Have you a repairing ? Thanks you in advance for your help, Regards. Dorian Rosse. ------------------------------ *From:* Maya Dagon (mdagon) <mdagon () cisco com> *Sent:* Monday, February 28, 2022 4:34:28 PM *To:* Dorian ROSSE <dorianbrice () hotmail fr>; Snort-users () lists snort org < snort-users () lists snort org>; snort-devel () lists snort org < snort-devel () lists snort org>; snort-sigs () lists snort org < snort-sigs () lists snort org> *Subject:* Re: [Snort-devel] i have only 600 rules in my snort3 Hi Dorian, The path depends on your configuration. Are you including the rules from another file? Is it using relative path? Thanks, Maya *From: *Snort-devel <snort-devel-bounces () lists snort org> on behalf of Dorian ROSSE via Snort-devel <snort-devel () lists snort org> *Reply-To: *Dorian ROSSE <dorianbrice () hotmail fr> *Date: *Saturday, February 26, 2022 at 6:46 AM *To: *"Snort-users () lists snort org" <snort-users () lists snort org>, " snort-devel () lists snort org" <snort-devel () lists snort org>, " snort-sigs () lists snort org" <snort-sigs () lists snort org> *Subject: *Re: [Snort-devel] i have only 600 rules in my snort3 my rules are located under :* '''/usr/local/etc/rules/rules$''' *and* '''/usr/local/etc/rules/so_rules$'''*, should i down up in the root etc like thoses : *'''/usr/local/etc/rules'''* and *'''/usr/local/etc/so_rules''' *? thank you in advance for your answer lighted, Regards. Dorian ROSSE. ------------------------------ *De :* Dorian ROSSE *Envoyé :* vendredi 25 février 2022 16:43 *À :* Snort-users () lists snort org <snort-users () lists snort org>; snort-devel () lists snort org <snort-devel () lists snort org>; snort-sigs () lists snort org <snort-sigs () lists snort org> *Objet :* i have only 600 rules in my snort3 Hello, i have this problem : '''rule counts total rules loaded: 600 builtin rules: 600 option chains: 600 chain headers: 1''' ethtool is again broken then i have go more far, why i have only 600 rules ? i have succesfully installed pulledpork and downloaded the rules, thank you in advance to help myself fully configured snort3, Regards. Dorian ROSSE. _______________________________________________ Snort-users mailing list Snort-users () lists snort org Go to this URL to change user options or unsubscribe: https://lists.snort.org/mailman/listinfo/snort-users To unsubscribe, send an email to: snort-users-leave () lists snort org Please visit http://blog.snort.org to stay current on all the latest Snort news! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette
_______________________________________________ Snort-devel mailing list Snort-devel () lists snort org https://lists.snort.org/mailman/listinfo/snort-devel Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- i have only 600 rules in my snort3 Dorian ROSSE via Snort-devel (Feb 25)
- Re: i have only 600 rules in my snort3 Dorian ROSSE via Snort-devel (Feb 26)
- <Possible follow-ups>
- Re: i have only 600 rules in my snort3 Maya Dagon (mdagon) via Snort-devel (Feb 28)
- Re: i have only 600 rules in my snort3 Dorian ROSSE via Snort-devel (Feb 28)
- Re: [Snort-users] [Snort-devel] i have only 600 rules in my snort3 Noah Dietrich (Feb 28)
- Re: [Snort-users] [Snort-devel] i have only 600 rules in my snort3 Dorian ROSSE via Snort-sigs (Mar 01)
- Re: [Snort-users] [Snort-devel] i have only 600 rules in my snort3 Noah Dietrich (Mar 02)
- Re: [Snort-users] [Snort-devel] i have only 600 rules in my snort3 Dorian ROSSE via Snort-sigs (Mar 02)
- Re: [Snort-users] [Snort-devel] i have only 600 rules in my snort3 Noah Dietrich (Mar 02)
- Re: [Snort-users] i have only 600 rules in my snort3 Dorian ROSSE via Snort-devel (Mar 02)
- Re: [Snort-users] i have only 600 rules in my snort3 Noah Dietrich (Mar 02)
- Re: [Snort-users] i have only 600 rules in my snort3 Dorian ROSSE via Snort-devel (Mar 02)
- Re: [Snort-users] [Snort-devel] i have only 600 rules in my snort3 Noah Dietrich (Mar 02)
- Re: i have only 600 rules in my snort3 Dorian ROSSE via Snort-devel (Feb 28)