[Snort-sigs] oinkmaster and so rules.. FAQ broken?

Michael Scheidell michael.scheidell at ...1331...
Wed Feb 9 10:03:13 EST 2011



On 2/9/11 9:38 AM, JJC wrote:
> As such, and by design, it would
> be trivial for someone to use this data to write individual rules
> files back out from PP and this is a slated enhancement to PP.  Having
> said that, I still advocate using a single rules file as it can
> dramatically reduce the complexity needed to run / tune your snort
> deployment.  This does not apply to gid:3 stub rules though, they will
> still be written to a single output file.
I think stubs need to be re-written via snort itself, right?
> I certainly welcome any contribution to the tool such as the aforementioned :-)
then see attached:  I am not sure if this means it already writes it out 
file by file, or if this means its possible to edit it.


On 2/9/11 3:23 AM, Edward Fjellskål wrote:
>> one such reason that i'm aware, and i think i have talked with the pulledpork
>> maintainer about it, is the merging of all rules files into one rules file...
>> that is just not an option in our environment... management of individual rules
>> sets via the snort.conf is much easier handled with the distributed multiple
>> rules files... but this is quite possibly also a limitation of certain tools
>> used to manage the rules sets... i've not dug deeper into it because of the
>> corporate and local limits in place...
> Thats just one of the reasons I would not use pulledpork...
>
> One can solve this like I did:
> https://github.com/gamelinux/polman/blob/180148b57a60900505a69579816f54c43f0e8901/Polman/Sensor.pm
> Check out the code between line 549 and 596.
> You need to preserve the "filename" (category) from where the rule was
> picked up when parsing the rulefiles.
> Then you can write them out to the original named rulefile again.

-- 
Michael Scheidell, CTO
o: 561-999-5000
d: 561-948-2259
ISN: 1259*1300
 >*| *SECNAP Network Security Corporation

    * Certified SNORT Integrator
    * 2008-9 Hot Company Award Winner, World Executive Alliance
    * Five-Star Partner Program 2009, VARBusiness
    * Best in Email Security,2010: Network Products Guide
    * King of Spam Filters, SC Magazine 2008


______________________________________________________________________
This email has been scanned and certified safe by SpammerTrap(r). 
For Information please see http://www.secnap.com/products/spammertrap/
______________________________________________________________________  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20110209/bff8e53a/attachment.html>


More information about the Snort-sigs mailing list