[Snort-sigs] Rules included in the VRT base policies

Y M snort at outlook.com
Sun May 20 17:21:56 EDT 2018

I guess this is already done in the rules’ metadata field, within each rule. A category may contain rules that may or may not belong to a policy. The criteria in the page you referenced governs the policy placement, AFAIK.

Another way to figure this out would be using PulledPork. On the first run, choose the connectivity policy and dump the rules into a single file (snort.rules). On the second run, shoes the balanced policy, and so on. You can keep each run’s rules separate for comparison sake. At the end of each run, PulledPork will print out the stats. You should see the number of enabled of enabled rules increase as you expand the policy.

Here is additional documentation that may not be directly related to your question, but good to know.


From: Snort-sigs <snort-sigs-bounces at lists.snort.org> on behalf of Antonio Leding <tech at leding.net>
Sent: Sunday, May 20, 2018 11:59:10 PM
To: mailer - snort; mailer - snort
Subject: [Snort-sigs] Rules included in the VRT base policies

Hello Snort community,

Is there any reference that describes what rules are contained in each of the 4 VRT policies?  I did find a very brief discussions at: https://www.snort.org/documents/215 however this is a very high-level discussion - nothing about specific rules...
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20180520/1bc6948f/attachment-0001.html>

More information about the Snort-sigs mailing list