Snort mailing list archives
Understanding usage to LightSPD rules
From: Dheeraj Gupta via Snort-sigs <snort-sigs () lists snort org>
Date: Thu, 21 Mar 2024 11:08:37 +0530
Hi, We have been using the snapshot ruleset for Snort since last many years with pulledpork (the original perl script which has been patched to support Snort3). With Snort3 and its accelerated release cycle, snapshots are no longer generated for each version. So these days we download the latest snapshot and just rename it to whatever version we are using for pulledpork to pick it up. The available guidance on official site points to using the LightSPD rules and I have seen that the stated goal of pulledpork3 Python project is to support Snort3 rule management using traditional snapshot or new LightSPD rules. My understanding is that LightSPD rules basically bundle all the rules for all the versions together and use a `manifest.json` to allow users to choose the correct ruleset based on their version. However, I have a few queries: 1. In manifest.json in LightSPD, under each version, there is a key called "extended_rule_groups" which points to a bunch of `extended_rule_groups.json` files. However, these JSON files do not exist at their purported paths. Is this a bug or are these files part of a future improvement which is not yet implemented? 2. How are we supposed to gather the non-SO rules? Should we just recurse under all directories and gather all the rules or is manifest.json to be used there as well? 3. The last commit to Pulledpork3 project was almost a year ago. Since then it appears that rule directory structure has been updated. E.g. new rulesets have subdirectories other than 3.0.0.0 (3.1.35.0 etc.). But the code has only a single sub-directory (3.0.0.0) hard-coded in it. Thus, it doesn't seem that newer rulesets will be processed correctly by Pulledpork3. Old pulledpork (perl one) while able to support Snort3 has no concept of LightSPD rules. So how are we supposed to apply these rules while running Snort? 3. Is there an up-to-date general documentation about best practices for Snort signature management? Regards, Dheeraj
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists snort org https://lists.snort.org/mailman/listinfo/snort-sigs Please visit http://blog.snort.org for the latest news about Snort! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads">emerging threats</a>!
Current thread:
- Understanding usage to LightSPD rules Dheeraj Gupta via Snort-sigs (Mar 20)
- Message not available
- Re: Understanding usage to LightSPD rules Patrick Mullen (pamullen) via Snort-sigs (Mar 22)
- Message not available