[Snort-users] Default rule set
wkitty42 at ...14940...
Sat May 17 10:47:11 EDT 2014
On 5/17/2014 6:43 AM, Y M wrote:
> > ummm... does this "security", "balanced", "connectivity" stuff pertain to the ET
> > (EmergingThreats) rules sets?? ;)
> I don't think ET ruleset has these policies.
exactly, thanks for confirming this, YM... it is especially important since the
OP's original question mentioned ET rules...
> In the VRT ruleset, these are represented through the "metadata" tag with
> options of "policy connectivity-ips", "policy balanced-ips", "policy
> security-ips", and the most recent one "ruleset community". PulledPork use
> these along with the "-I <policy>" to determine what rules to enable.
yes, this confirms the method with which the policy is determined... it is also
helpful for those who don't know or understand it...
> During early tests, running PulledPork against both VRT and ET with a policy
> specified, did not enable any ET rule. Two options to overcome this:
> 1. Add ET sids/categories into enablesid.conf, and PulledPork will enable them
> regardless of policy specified, or (better)
> 2. Since PulledPork now processes modifysid.conf first (before enablesid.conf),
> add pcre to modify ET rules to include the desired policy and PulledPork should
> pick it up from there. I will need to re-test this one though.
ahh, very nice... i'm glad to see the PP has come such a long way in the short
time it has been available... excellent work by the maintainer! ;)
NOTE: No off-list assistance is given without prior approval.
Please *keep mailing list traffic on the list* unless
private contact is specifically requested and granted.
More information about the Snort-users