[Snort-users] Rules managing

Y M snort at ...15979...
Tue May 26 10:56:52 EDT 2015

Comments below.
Date: Tue, 26 May 2015 15:52:15 +0200
From: wrkilu at ...3879...
To: snort-users at lists.sourceforge.net
Subject: [Snort-users] Rules managing


We want to use rules:  snortrules-snapshot, community-rules and emerging.rules. Now.. we want use also PulledPork to preparing them (or could be Oinkmaster). Moreover I see snort and emerging have categories e.g. imap, smtp, malware, dos and so on. But community doesn't have - just one file.

# Community rules are already included in the snortrules-snaphsot (registered or subscription), hence they are already categorized.


My questions are:

- how to split custom rules into categories (by apps) like snort and emerging there are.. ?

# This can be done when your write your own rules in the "msg" option. For example MALWARE-CNC or MALWARE-OTHER. If you take a look at PulledPork enablesid.conf, for example, you can see how rules can be enabled by category. I hope this is what you are referring to by "categories".

- why so many of rules (in every of those groups) are commented out ? I know about three groups: Connectivity, Balanced, Security but when I use this approach I loose apps categorization approach (I think...)

# I am not sure I understand what you mean. Is it the separate rules files (malware-cnc.rules, etc.) that you lose? or is it something else?

- how to bring together these two approachs: categorization and apps ? because the best would be if we can first grab rules from Security group, and then grab from it rules just for malware e.g. and voip.

# PulledPork can do this as far as I recall. You specify the policy as "Security" and tell PulledPork to keep the rules in their respective rules files - or category, if I understand you correctly - instead of putting the all rules in one file.


Thanks in advance





One dashboard for servers and applications across Physical-Virtual-Cloud 
Widest out-of-the-box monitoring support with 50+ applications
Performance metrics, stats and reports that give you Actionable Insights
Deep dive visibility with transaction tracing using APM Insight.
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
Snort-users list archive:

Please visit http://blog.snort.org to stay current on all the latest Snort news! 		 	   		  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20150526/8bbf6dd4/attachment.html>

More information about the Snort-users mailing list