[Snort-sigs] oinkmaster and so rules.. FAQ broken?
michael.scheidell at ...1331...
Wed Feb 9 10:03:13 EST 2011
On 2/9/11 9:38 AM, JJC wrote:
> As such, and by design, it would
> be trivial for someone to use this data to write individual rules
> files back out from PP and this is a slated enhancement to PP. Having
> said that, I still advocate using a single rules file as it can
> dramatically reduce the complexity needed to run / tune your snort
> deployment. This does not apply to gid:3 stub rules though, they will
> still be written to a single output file.
I think stubs need to be re-written via snort itself, right?
> I certainly welcome any contribution to the tool such as the aforementioned :-)
then see attached: I am not sure if this means it already writes it out
file by file, or if this means its possible to edit it.
On 2/9/11 3:23 AM, Edward Fjellskål wrote:
>> one such reason that i'm aware, and i think i have talked with the pulledpork
>> maintainer about it, is the merging of all rules files into one rules file...
>> that is just not an option in our environment... management of individual rules
>> sets via the snort.conf is much easier handled with the distributed multiple
>> rules files... but this is quite possibly also a limitation of certain tools
>> used to manage the rules sets... i've not dug deeper into it because of the
>> corporate and local limits in place...
> Thats just one of the reasons I would not use pulledpork...
> One can solve this like I did:
> Check out the code between line 549 and 596.
> You need to preserve the "filename" (category) from where the rule was
> picked up when parsing the rulefiles.
> Then you can write them out to the original named rulefile again.
Michael Scheidell, CTO
>*| *SECNAP Network Security Corporation
* Certified SNORT Integrator
* 2008-9 Hot Company Award Winner, World Executive Alliance
* Five-Star Partner Program 2009, VARBusiness
* Best in Email Security,2010: Network Products Guide
* King of Spam Filters, SC Magazine 2008
This email has been scanned and certified safe by SpammerTrap(r).
For Information please see http://www.secnap.com/products/spammertrap/
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-sigs