[Snort-users] Pulledpork: preprocessors, ips_policy and snort.conf

Y M snort at ...15979...
Sun Apr 26 07:31:14 EDT 2015

From: miboe60 at ...125...
To: snort-users at lists.sourceforge.net
Date: Sun, 26 Apr 2015 12:51:18 +0200
Subject: [Snort-users] Pulledpork: preprocessors, ips_policy and snort.conf


How does the pulledpork ips_policy works in conjunction with the snort.conf?
# The best way I understand it is that the policy ties to the policy specification in Snort rules. If you look at the rules' metadata, you will see the policy specification for a given rule. When you run PulledPork specifying the policy using the (-I <security|balanced|connectivity>) switch, it will enable the rules that match the selected policy with the rules metadata policy. 
In more detail, does it still make sense to activate preprocessors in my snort.conf, or are they ignored by pulledpork?

# if the preporcessor's stub rules are denoted with the appropriate policy metadata, then PulledPork will enable them according to the chosen policy (security|balanced|connectivity).

For example, if I activate the arpspoof preprocessor in snort.conf, and then run Pulledpork in 'security' mode, the arpspoof rules are all commented.  Surely, I can activate them through the 'enablesid.conf', but then it would mean that the snort.conf options are ignored?
# See my second comment above. Having the preprocessor not report any output, i.e.: alert, does not mean that the preprocessor is not working. A simpler example in this case is the http_inspect preprocessor. It has its own rules/gid which may not be enabled, however, it is still processing http traffic to be used in text rules, i.e.: http_header, http_uri, etc.


One dashboard for servers and applications across Physical-Virtual-Cloud 
Widest out-of-the-box monitoring support with 50+ applications
Performance metrics, stats and reports that give you Actionable Insights
Deep dive visibility with transaction tracing using APM Insight.
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
Snort-users list archive:

Please visit http://blog.snort.org to stay current on all the latest Snort news! 		 	   		  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20150426/3280e718/attachment.html>

More information about the Snort-users mailing list