[Snort-sigs] Some notes about today's VRT Rule release for 02/09/2012

Joel Esler jesler at ...435...
Thu Feb 9 17:35:04 EST 2012


On Thu, Feb 9, 2012 at 5:19 PM, waldo kitty <wkitty42 at ...3507...> wrote:

> On 2/9/2012 15:58, Joel Esler wrote:
>
> [trim]
>
> > In an effort to make the barrier to entry that much easier, the Open
> Source rule
> > package downloaded on snort.org <http://snort.org> now exactly mirrors
> what you
> > would get if you used PulledPork. All rules in balanced-ips are enabled
> and all
> > rules not in balanced-ips are disabled. The exception to this is that
> rules that
> > set flowbits that are used by rules that are in balanced-ips are also
> enabled.
> > This means that the default Open Source ruleset will now provide a good
> balance
> > between speed, performance, and detection and all rules should work as
> > expected.  Those using Oinkmaster, or simply downloading the ruleset
> directly,
> > will now be running the "balanced-ips" policy.  A rule's "on/off" state
> is now
> > dictated by policy.
>
> what policy? i've understood most things up to here... we do not use any
> "policy" rules in our configuration... at least nothing specifically... i
> don't
> believe that we even include the policy.rules file(s)... so one has to
> ask, what
> policy? where can one see this policy? does this change blow things up like
> oinkmaster's disablesid option?
>
> We've had three policies in the rules for some time now in the "metadata"
field.  "policy connectivity-ips, policy balanced-ips, and policy
security-ips"

This change will not affect Oinkmaster at all.  In fact, those of you that
were using things other than PulledPork that didn't have flowbit
auto-resolution or policy enforcement are now running the exact same
policies (and dependancies) that those that are.  That's what we mean by
"leveling the playing field".

Actually, Waldo, you were one of the people specifically we had in mind
when we made this "fix", since you can't run PulledPork.

J
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20120209/935c632f/attachment.html>


More information about the Snort-sigs mailing list