[Snort-users] quick question about snort.conf

Joel Esler jesler at ...1935...
Tue Oct 23 19:04:28 EDT 2012


Exactly correct.  

Sent from my iPhone

On Oct 23, 2012, at 6:06 PM, Jeremy Hoel <jthoel at ...11827...> wrote:

> The rules file you get still has all the rules in the little groups.
> That's still the official way.
> 
> if you want better/easier rule management then you use
> pulledpork/oinkmaster/etc. And with pulledpork, one of it's options is
> to output the single snort.rules file. You don't have to do that, you
> can still have the individual files, but the single file is the
> default.
> 
> So as far as Snort is concerned, it's default way is to use the
> individual files, but most of the users will probably migrate to
> better management with the single rules file.
> 
> On Tue, Oct 23, 2012 at 9:59 PM, AllowOverride <allowoverride at ...11827...> wrote:
>> i noticed today that the snort.conf from:
>> 
>> http://labs.snort.org/snort/2931/snort.conf
>> 
>> still includes the "include" rules.
>> 
>> from what i have been told, for IDS in my case, I need to # out the
>> include statements, and only use the snort.rules likes this:
>> 
>> include $RULE_PATH/snort.rules
>> 
>> so to wrap up: when i use the snort.rules listed above snort works. if i
>> do NOT include the path above it will not. 0 bytes snort.log is my
>> prove.
>> 
>> i am curious as to why the downloadable snort.conf is still including
>> the paths below, not #'d out, and still available??
>> 
>> shouldn't they be removed since snort.rules is the supported way
>> officially?
>> 
>> just wondering, i appreciate your comments.
>> 
>> 
>> 
>> wrong way:
>> 
>> # site specific rules
>> include $RULE_PATH/local.rules
>> 
>> include $RULE_PATH/app-detect.rules
>> include $RULE_PATH/attack-responses.rules
>> ....
>> 
>> right way:
>> 
>> # site specific rules
>> #include $RULE_PATH/local.rules
>> include $RULE_PATH/snort.rules
>> 
>> #include $RULE_PATH/app-detect.rules
>> #include $RULE_PATH/attack-responses.rules
>> ....
>> 
>> 
>> correct?
>> 
>> PS. base1.4.5, barnyard2, pulledpork, snort work fine :)
>> 
>> thanks!
>> 
>> 
>> 
>> 
>> ------------------------------------------------------------------------------
>> Everyone hates slow websites. So do we.
>> Make your web apps faster with AppDynamics
>> Download AppDynamics Lite for free today:
>> http://p.sf.net/sfu/appdyn_sfd2d_oct
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>> 
>> Please visit http://blog.snort.org to stay current on all the latest Snort news!
> 
> ------------------------------------------------------------------------------
> Everyone hates slow websites. So do we.
> Make your web apps faster with AppDynamics
> Download AppDynamics Lite for free today:
> http://p.sf.net/sfu/appdyn_sfd2d_oct
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> 
> Please visit http://blog.snort.org to stay current on all the latest Snort news!




More information about the Snort-users mailing list