[Snort-users] Odp: Re: Odp: Re: PulledPork and empty Emerging ruleset

snort at ...15979... snort at ...15979...
Sat May 30 17:48:03 EDT 2015


There isn't really one right answer to your question. The short answer is it depends on your environment and associated risk.
The long answer is that you may need to review the categories, rules, documentation, etc, and validate what best suits your environment. In either way, VRT or ET, you eventually will end up knowing what is actually being enabled, with or without policy. For example, there are lot of MS rules with security policy so they get enabled when you use the security policy, however, the environment may be entirely comprised of Linux and OS X machines. In this case knowing about the policy alone is not helpful.
I suggest you review what value ET rules can add to detection at your environment and what the rules/categories are addressing, and where your risk is (malware, exploits, web servers, SCADA, etc).
Did I address the question or misunderstood the point?
Sent from Mobile




On Sat, May 30, 2015 at 2:14 PM -0700, "Robert Lasota" <wrkilu at ...3879...> wrote:
Dnia Sobota, 30 Maja 2015 22:46 <snort at ...15979...> napisał(a)

I did NOT say the PulledPork can't generate ET rules. If you look back at my previous answer all I said was that ET rules do NOT include the required metadata to classify rules based on policy.

Also like I said earlier, you can use the enablesid.conf to enable what you choose from ET. In fact, if you open enablesid.conf, you will see an example of how to enable ET rules.

Sent from Mobile





You didn't understand me, I know I can turn on ET in enablesid,conf. But... without policy how to decide which rules in every ET files should be on or commented out ??



Robert


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20150530/24b28090/attachment.html>


More information about the Snort-users mailing list