[Snort-sigs] Some notes about today's VRT Rule release for 02/09/2012

waldo kitty wkitty42 at ...3507...
Thu Feb 9 17:45:52 EST 2012


On 2/9/2012 17:35, Joel Esler wrote:
>
>
> On Thu, Feb 9, 2012 at 5:19 PM, waldo kitty <wkitty42 at ...3507...> wrote:
>     what policy? i've understood most things up to here... we do not use any
>     "policy" rules in our configuration... at least nothing specifically... i don't
>     believe that we even include the policy.rules file(s)... so one has to ask, what
>     policy? where can one see this policy? does this change blow things up like
>     oinkmaster's disablesid option?
>
> We've had three policies in the rules for some time now in the "metadata" field.
> "policy connectivity-ips, policy balanced-ips, and policy security-ips"

yes, i've seen those but they mean nothing to me or anything i know of that we 
use with snort... i did actually go digging about and found a post by you back 
in aug 2001, on the 4th or 11th i think, where you did explain a bit of this...

> This change will not affect Oinkmaster at all.  In fact, those of you that were
> using things other than PulledPork that didn't have flowbit auto-resolution or
> policy enforcement are now running the exact same policies (and dependancies)
> that those that are.  That's what we mean by "leveling the playing field".

ok... i'm still not sure what "playing field", though ;)

> Actually, Waldo, you were one of the people specifically we had in mind when we
> made this "fix", since you can't run PulledPork.

understood and i thank you... but i'm not sure, yet, how it is going to effect 
my setup... i'll find out soon enough if things that were working properly are 
suddenly getting blocked by the active response system or not blocked by it when 
it should be...




More information about the Snort-sigs mailing list