[Snort-users] Default rule set

Jefferson, Shawn Shawn.Jefferson at ...14448...
Fri May 23 12:15:53 EDT 2014


I keep my VRT and ET rules separate, so separate PP config files, and separate combined .rules files as well.  This just works better for my personal setup.

-----Original Message-----
From: Sallee, Jake [mailto:Jake.Sallee at ...15646...] 
Sent: May 17, 2014 10:44 PM
To: snort-users
Subject: [Snort-users] Default rule set

Firstly, thank you all for the info, it has been very helpful.

I have configured my pulled pork with the security setting and it seems to be working well.  Now, as others have pointed out, configuring this setting in PP turns off all ET rules.  So my question is: are the rules turned on with the "security" setting in PP sufficient or should I augment them with rules from the ET set?

Also, a quick question about this suggestion:

> 2. Since PulledPork now processes modifysid.conf first (before 
> enablesid.conf), add pcre to modify ET rules to include the desired 
> policy and PulledPork should pick it up from there. I will need to re-test this one though.

Please forgive my inexperience but I am reading this statement two different ways:

1) Set PP with the security setting and use PCRE to enable ET rules in the modifysid.conf file or
2) Use PCRE to enable the security sub-set of rules in modifysid.conf while PP is configured to use the ET rule set

Which one is correct, or am I wrong on both counts?

And lastly, if I do use some ET rules in conjunction with the security set of rules I will need to do some serious pruning to keep under the aforementioned 7,000 rule suggested limit. Are there any rules that duplicate effort in the ET and Security sets?  If so, is there an easy way to identify them and which one should I choose to use?

Thank you all again.

Jake Sallee
Godfather of Bandwidth
System Engineer
University of Mary Hardin-Baylor
WWW.UMHB.EDU

900 College St.
Belton, Texas
76513

Fone: 254-295-4658
Phax: 254-295-4221

________________________________________
From: waldo kitty [wkitty42 at ...14940...]
Sent: Saturday, May 17, 2014 9:47 AM
To: snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] Default rule set

On 5/17/2014 6:43 AM, Y M wrote:
>  > ummm... does this "security", "balanced", "connectivity" stuff 
> pertain to the ET  > (EmergingThreats) rules sets?? ;)
>
> I don't think ET ruleset has these policies.

exactly, thanks for confirming this, YM... it is especially important since the OP's original question mentioned ET rules...

> In the VRT ruleset, these are represented through the "metadata" tag 
> with options of "policy connectivity-ips", "policy balanced-ips", 
> "policy security-ips", and the most recent one "ruleset community". 
> PulledPork use these along with the "-I <policy>" to determine what rules to enable.

yes, this confirms the method with which the policy is determined... it is also helpful for those who don't know or understand it...

> During early tests, running PulledPork against both VRT and ET with a 
> policy specified, did not enable any ET rule. Two options to overcome this:
> 1. Add ET sids/categories into enablesid.conf, and PulledPork will 
> enable them regardless of policy specified, or (better) 2. Since 
> PulledPork now processes modifysid.conf first (before enablesid.conf), 
> add pcre to modify ET rules to include the desired policy and 
> PulledPork should pick it up from there. I will need to re-test this one though.

ahh, very nice... i'm glad to see the PP has come such a long way in the short time it has been available... excellent work by the maintainer! ;)

--
  NOTE: No off-list assistance is given without prior approval.
        Please *keep mailing list traffic on the list* unless
        private contact is specifically requested and granted.

------------------------------------------------------------------------------
"Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE Instantly run your Selenium tests across 300+ browser/OS combos.
Get unparalleled scalability from the best Selenium testing platform available Simple to use. Nothing to install. Get started now for free."
http://p.sf.net/sfu/SauceLabs
_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

------------------------------------------------------------------------------
"Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE Instantly run your Selenium tests across 300+ browser/OS combos.
Get unparalleled scalability from the best Selenium testing platform available Simple to use. Nothing to install. Get started now for free."
http://p.sf.net/sfu/SauceLabs
_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!




More information about the Snort-users mailing list