[Snort-sigs] Some notes about today's VRT Rule release for 02/09/2012

waldo kitty wkitty42 at ...3507...
Thu Feb 9 17:19:42 EST 2012

On 2/9/2012 15:58, Joel Esler wrote:


> Today, we leveled the playing field between the various ways to get Snort rules.
> It has long been the case where Sourcefire products, by default, enabled rules
> in the balanced-ips policy.


> When you use PulledPork (http://code.google.com/p/pulledpork/), this is also the
> default behavior. But when you simply downloaded the rules from Snort.org, the
> rules were a hodge podge of rules that were enabled or disabled, denoted by
> whether or not the rule was commented out in the rules file.


> In an effort to make the barrier to entry that much easier, the Open Source rule
> package downloaded on snort.org <http://snort.org> now exactly mirrors what you
> would get if you used PulledPork. All rules in balanced-ips are enabled and all
> rules not in balanced-ips are disabled. The exception to this is that rules that
> set flowbits that are used by rules that are in balanced-ips are also enabled.
> This means that the default Open Source ruleset will now provide a good balance
> between speed, performance, and detection and all rules should work as
> expected.  Those using Oinkmaster, or simply downloading the ruleset directly,
> will now be running the "balanced-ips" policy.  A rule's "on/off" state is now
> dictated by policy.

what policy? i've understood most things up to here... we do not use any 
"policy" rules in our configuration... at least nothing specifically... i don't 
believe that we even include the policy.rules file(s)... so one has to ask, what 
policy? where can one see this policy? does this change blow things up like 
oinkmaster's disablesid option?

More information about the Snort-sigs mailing list