[Snort-users] quick question about snort.conf

Jeremy Hoel jthoel at ...11827...
Tue Oct 23 18:06:59 EDT 2012


The rules file you get still has all the rules in the little groups.
That's still the official way.

if you want better/easier rule management then you use
pulledpork/oinkmaster/etc. And with pulledpork, one of it's options is
to output the single snort.rules file. You don't have to do that, you
can still have the individual files, but the single file is the
default.

So as far as Snort is concerned, it's default way is to use the
individual files, but most of the users will probably migrate to
better management with the single rules file.

On Tue, Oct 23, 2012 at 9:59 PM, AllowOverride <allowoverride at ...11827...> wrote:
> i noticed today that the snort.conf from:
>
> http://labs.snort.org/snort/2931/snort.conf
>
> still includes the "include" rules.
>
> from what i have been told, for IDS in my case, I need to # out the
> include statements, and only use the snort.rules likes this:
>
> include $RULE_PATH/snort.rules
>
> so to wrap up: when i use the snort.rules listed above snort works. if i
> do NOT include the path above it will not. 0 bytes snort.log is my
> prove.
>
> i am curious as to why the downloadable snort.conf is still including
> the paths below, not #'d out, and still available??
>
> shouldn't they be removed since snort.rules is the supported way
> officially?
>
> just wondering, i appreciate your comments.
>
>
>
> wrong way:
>
> # site specific rules
> include $RULE_PATH/local.rules
>
> include $RULE_PATH/app-detect.rules
> include $RULE_PATH/attack-responses.rules
> ....
>
> right way:
>
> # site specific rules
> #include $RULE_PATH/local.rules
> include $RULE_PATH/snort.rules
>
> #include $RULE_PATH/app-detect.rules
> #include $RULE_PATH/attack-responses.rules
> ....
>
>
> correct?
>
> PS. base1.4.5, barnyard2, pulledpork, snort work fine :)
>
> thanks!
>
>
>
>
> ------------------------------------------------------------------------------
> Everyone hates slow websites. So do we.
> Make your web apps faster with AppDynamics
> Download AppDynamics Lite for free today:
> http://p.sf.net/sfu/appdyn_sfd2d_oct
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest Snort news!




More information about the Snort-users mailing list