[Snort-sigs] oinkmaster and so rules.. FAQ broken?

Alan Ptak alan.ptak at ...2420...
Wed Feb 9 10:18:17 EST 2011


Micheal, 

Please resend with your attachment.

--Alan

On Feb 9, 2011, at 7:03 AM, Michael Scheidell wrote:

> 
> 
> On 2/9/11 9:38 AM, JJC wrote:
>> 
>> As such, and by design, it would
>> be trivial for someone to use this data to write individual rules
>> files back out from PP and this is a slated enhancement to PP.  Having
>> said that, I still advocate using a single rules file as it can
>> dramatically reduce the complexity needed to run / tune your snort
>> deployment.  This does not apply to gid:3 stub rules though, they will
>> still be written to a single output file.
> I think stubs need to be re-written via snort itself, right? 
>> I certainly welcome any contribution to the tool such as the aforementioned :-)
> then see attached:  I am not sure if this means it already writes it out file by file, or if this means its possible to edit it.
> 
> 
> On 2/9/11 3:23 AM, Edward Fjellskål wrote:
>> 
>>> one such reason that i'm aware, and i think i have talked with the pulledpork
>>> maintainer about it, is the merging of all rules files into one rules file...
>>> that is just not an option in our environment... management of individual rules
>>> sets via the snort.conf is much easier handled with the distributed multiple
>>> rules files... but this is quite possibly also a limitation of certain tools
>>> used to manage the rules sets... i've not dug deeper into it because of the
>>> corporate and local limits in place...
>> Thats just one of the reasons I would not use pulledpork...
>> 
>> One can solve this like I did:
>> https://github.com/gamelinux/polman/blob/180148b57a60900505a69579816f54c43f0e8901/Polman/Sensor.pm
>> Check out the code between line 549 and 596.
>> You need to preserve the "filename" (category) from where the rule was
>> picked up when parsing the rulefiles.
>> Then you can write them out to the original named rulefile again.
> 
> -- 
> Michael Scheidell, CTO
> o: 561-999-5000
> d: 561-948-2259
> ISN: 1259*1300
> > | SECNAP Network Security Corporation
> Certified SNORT Integrator
> 2008-9 Hot Company Award Winner, World Executive Alliance
> Five-Star Partner Program 2009, VARBusiness
> Best in Email Security,2010: Network Products Guide
> King of Spam Filters, SC Magazine 2008
> 
> This email has been scanned and certified safe by SpammerTrap®. 
> For Information please see http://www.secnap.com/products/spammertrap/
> 
> 
> ------------------------------------------------------------------------------
> The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio XE:
> Pinpoint memory and threading errors before they happen.
> Find and fix more than 250 security defects in the development cycle.
> Locate bottlenecks in serial and parallel code that limit performance.
> http://p.sf.net/sfu/intel-dev2devfeb_______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> http://www.snort.org

Best regards,

Alan
--
Alan Ptak
V: 310.488.8606
E: alan.ptak at ...2420...








-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20110209/455ce91d/attachment.html>


More information about the Snort-sigs mailing list