[Snort-users] Using PP

Peter Bates peter.bates at ...15381...
Thu Sep 13 06:37:57 EDT 2012


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Hello all

On 13/09/2012 11:18, Pratik Narang wrote:
> I already had some 4K rules enabled manually, i.e. without PP. Now
> with PP managing and enabling my rules (I used 'security' policy),
> do I need to simply forget whatever I had enabled earlier and start
> afresh, or is there some workaround so that I can still have those
> previous rules around and can enable/disable them with PP as per
> need???

In pulledpork.conf, if you have

state_order=disable,drop,enable
enablesid=/usr/local/etc/snort/enablesid.conf

In enablesid.conf you can have a list of SIDs you would like to keep
enabled if there are some you know are useful/valuable:

1:17114 # WEB-CLIENT Microsoft SilverLight ImageSource RCE attempt
1:23262 # Trojan.Banker
1:23173 # Android Zitmo trojan

- -- 
Peter Bates
Senior Computer Security Officer    Phone: +44(0)2076792049
Information Services Division	    Internal Ext: 32049
University College London
London WC1E 6BT
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)
Comment: Using GnuPG with Mozilla - http://www.enigmail.net/

iQEcBAEBAgAGBQJQUbeFAAoJELhVoVpEMS6Rx0kH/iEtAWptAYzfWRSGqW5B2/z8
Zp4ygK18L4AHtuhI5DIcwG/y+p9VAM+CAFekMTqiPDsp+x/z2eRMmwRejtnFdX0R
POEXOTv3r8Lw5SEvXR0SNDuPL/PCsO139aUlUy9UBp/QVxQ7lkWLlEHDriXqhG/2
7gFqAW/DdIhLk0l6kd8gaCpsPkz1vYwnlFeYwkF5V372ulMgFZHT3MF+7xFdnLLW
NG6ECfeypXh8LI24jT2LMKeufXHwhMJOJFQwMKqfNve1LAvKOJoNpEU+kWNFQVXT
7QafGzCVmtclN6RbTrEHpLAnuiKUYiNdwxPJVrFSo8f4qtdcJhpo7wCqU8aqUAg=
=K6DJ
-----END PGP SIGNATURE-----





More information about the Snort-users mailing list