[Snort-users] Rules managing
Y M
snort at ...15979...
Tue May 26 10:56:52 EDT 2015
Comments below.
YM
Date: Tue, 26 May 2015 15:52:15 +0200
From: wrkilu at ...3879...
To: snort-users at lists.sourceforge.net
Subject: [Snort-users] Rules managing
Hi,
We want to use rules: snortrules-snapshot, community-rules and emerging.rules. Now.. we want use also PulledPork to preparing them (or could be Oinkmaster). Moreover I see snort and emerging have categories e.g. imap, smtp, malware, dos and so on. But community doesn't have - just one file.
# Community rules are already included in the snortrules-snaphsot (registered or subscription), hence they are already categorized.
My questions are:
- how to split custom rules into categories (by apps) like snort and emerging there are.. ?
# This can be done when your write your own rules in the "msg" option. For example MALWARE-CNC or MALWARE-OTHER. If you take a look at PulledPork enablesid.conf, for example, you can see how rules can be enabled by category. I hope this is what you are referring to by "categories".
- why so many of rules (in every of those groups) are commented out ? I know about three groups: Connectivity, Balanced, Security but when I use this approach I loose apps categorization approach (I think...)
# I am not sure I understand what you mean. Is it the separate rules files (malware-cnc.rules, etc.) that you lose? or is it something else?
- how to bring together these two approachs: categorization and apps ? because the best would be if we can first grab rules from Security group, and then grab from it rules just for malware e.g. and voip.
# PulledPork can do this as far as I recall. You specify the policy as "Security" and tell PulledPork to keep the rules in their respective rules files - or category, if I understand you correctly - instead of putting the all rules in one file.
Thanks in advance
Robert
------------------------------------------------------------------------------
One dashboard for servers and applications across Physical-Virtual-Cloud
Widest out-of-the-box monitoring support with 50+ applications
Performance metrics, stats and reports that give you Actionable Insights
Deep dive visibility with transaction tracing using APM Insight.
http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
Please visit http://blog.snort.org to stay current on all the latest Snort news!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20150526/8bbf6dd4/attachment.html>
More information about the Snort-users
mailing list