Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Understanding usage to LightSPD rules

From: Dheeraj Gupta via Snort-sigs <snort-sigs () lists snort org>
Date: Thu, 21 Mar 2024 11:08:37 +0530
Hi,

We have been using the snapshot ruleset for Snort since last many years
with pulledpork (the original perl script which has been patched to support
Snort3). With Snort3 and its accelerated release cycle, snapshots are no
longer generated for each version. So these days we download the latest
snapshot and just rename it to whatever version we are using for pulledpork
to pick it up.

The available guidance on official site points to using the LightSPD rules
and I have seen that the stated goal of pulledpork3 Python project is to
support Snort3 rule management using traditional snapshot or new LightSPD
rules.

My understanding is that LightSPD rules basically bundle all the rules for
all the versions together and use a `manifest.json` to allow users to
choose the correct ruleset based on their version. However, I have a few
queries:

1. In manifest.json in LightSPD, under each version, there is a key called
"extended_rule_groups" which points to a bunch of
`extended_rule_groups.json` files. However, these JSON files do not exist
at their purported paths. Is this a bug or are these files part of a future
improvement which is not yet implemented?

2. How are we supposed to gather the non-SO rules? Should we just recurse
under all directories and gather all the rules or is manifest.json to be
used there as well?

3. The last commit to Pulledpork3 project was almost a year ago. Since then
it appears that rule directory structure has been updated. E.g. new
rulesets have subdirectories other than 3.0.0.0 (3.1.35.0 etc.). But the
code has only a single sub-directory (3.0.0.0) hard-coded in it. Thus, it
doesn't seem that newer rulesets will be processed correctly by
Pulledpork3. Old pulledpork (perl one) while able to support Snort3 has no
concept of LightSPD rules. So how are we supposed to apply these rules
while running Snort?

3. Is there an up-to-date general documentation about best practices for
Snort signature management?

Regards,
Dheeraj

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists snort org
https://lists.snort.org/mailman/listinfo/snort-sigs

Please visit http://blog.snort.org for the latest news about Snort!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette

Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a 
href=" https://snort.org/downloads/#rule-downloads";>emerging threats</a>!
Previous By Date Next
Previous By Thread Next

Current thread: