[Snort-users] Odp: Re: PulledPork and empty Emerging ruleset

snort at ...15979... snort at ...15979...
Sat May 30 16:46:20 EDT 2015


I did NOT say the PulledPork can't generate ET rules. If you look back at my previous answer all I said was that ET rules do NOT include the required metadata to classify rules based on policy.
Also like I said earlier, you can use the enablesid.conf to enable what you choose from ET. In fact, if you open enablesid.conf, you will see an example of how to enable ET rules.

Sent from Mobile




On Sat, May 30, 2015 at 1:37 PM -0700, "Robert Lasota" <wrkilu at ...3879...> wrote:
Dnia Sobota, 30 Maja 2015 13:45 Y M <snort at ...15979...> napisał(a)

ET rules do not include the metadata required to designate a rule to a rules policy. Check the metadata keyword in  a VRT/TALOS rule to see how. PulledPork uses this metadata to match the policy specified in command line with rules.

Use ET categories in enablesid.conf to enable by category.

Sent from Mobile





The main reason I used PulledPork is ability to choose ruleset which it generates (by setting -I parameter so security, balanced or connectivity). Then I know why some rules are enabled and why others are commented out in result files. But when you tell me that Pulledpork can't generates Emerging rules in the same way as Snort's rules, so how I should decide which rules from Emerging should be enabled and which should be commented out ?












On Sat, May 30, 2015 at 4:39 AM -0700, "Robert Lasota" <wrkilu at ...3879...<mailto:wrkilu at ...3879...>> wrote:


Hi,

I use "-I security" during generating rules, I use also Snort and Emerging (opensource) rules. And in result I get many VRT rules and unfortunately many empty ET-emerging files with rules. So my question is: is it normal that "-I security" cause that ET are not use ? Second question: should I use some workaround to however enable ET-emerging rules ? and possibly how ?

Thanks

Robert





-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20150530/810c98cc/attachment.html>


More information about the Snort-users mailing list