[Snort-users] Default rule set

waldo kitty wkitty42 at ...14940...
Sat May 17 10:47:11 EDT 2014


On 5/17/2014 6:43 AM, Y M wrote:
>  > ummm... does this "security", "balanced", "connectivity" stuff pertain to the ET
>  > (EmergingThreats) rules sets?? ;)
>
> I don't think ET ruleset has these policies.

exactly, thanks for confirming this, YM... it is especially important since the 
OP's original question mentioned ET rules...

> In the VRT ruleset, these are represented through the "metadata" tag with
> options of "policy connectivity-ips", "policy balanced-ips", "policy
> security-ips", and the most recent one "ruleset community". PulledPork use
> these along with the "-I <policy>" to determine what rules to enable.

yes, this confirms the method with which the policy is determined... it is also 
helpful for those who don't know or understand it...

> During early tests, running PulledPork against both VRT and ET with a policy
> specified, did not enable any ET rule. Two options to overcome this:
> 1. Add ET sids/categories into enablesid.conf, and PulledPork will enable them
> regardless of policy specified, or (better)
> 2. Since PulledPork now processes modifysid.conf first (before enablesid.conf),
> add pcre to modify ET rules to include the desired policy and PulledPork should
> pick it up from there. I will need to re-test this one though.

ahh, very nice... i'm glad to see the PP has come such a long way in the short 
time it has been available... excellent work by the maintainer! ;)

-- 
  NOTE: No off-list assistance is given without prior approval.
        Please *keep mailing list traffic on the list* unless
        private contact is specifically requested and granted.




More information about the Snort-users mailing list