[Snort-users] Rule Management with two separate rulesets

JJC cummingsj at ...11827...
Wed Jul 17 12:58:38 EDT 2013


PP names them for you.. even if they are indivitual ET-category.rules or
VRT-category.rules :-)


On Wed, Jul 17, 2013 at 10:49 AM, waldo kitty <wkitty42 at ...14940...>wrote:

> On 7/16/2013 23:08, Steven McLaughlin wrote:
> > Hi All,
> >
> > I am looking at testing emerging threats ruleset alongside snort rules.
> As far
> > as directory structures are concerned is it best to have the rules in
> separate
> > directories and run two separate instances of pulledpork? Or better to
> have both
> > rule sets all in the one directory?
> >
> > The overlap could get complicated here with rule updates and snort conf
> files etc..
> >
> > Is anyone else doing this? If so any advice?
>
> we run both sets here... not testing...
>
> we do not (yet) use pulledpork...
>
> we have all the rules files in one directory...
>
> each is differentiated by their name...
>    blah.rules from VRT (kinda wish they'd put VRT-blah.rules)...
>    emerging-blah.rules from ET...
>
> we have all rules named in snort.conf so that we can manage them by
> "category"
> (ie: filename)... in this way, we can enable or disable an entire category
> with
> one edit to (un)comment one filename...
>
> having the rulea all in one directory also allows for easier management of
> sid-msg.map because the generator for that file can simply run thru all
> files in
> the one rules directory...
>
> we have no problem with rules updates... we (currently) pull VRT rules
> once a
> week and ET rules once a day...
>
>
> --
> NOTE: No off-list assistance is given without prior approval.
>        Please keep mailing list traffic on the list unless
>        private contact is specifically requested and granted.
>
>
> ------------------------------------------------------------------------------
> See everything from the browser to the database with AppDynamics
> Get end-to-end visibility with application monitoring from AppDynamics
> Isolate bottlenecks and diagnose root cause in seconds.
> Start your free trial of AppDynamics Pro today!
> http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20130717/293fb9c4/attachment.html>


More information about the Snort-users mailing list