[Snort-users] Snort rules

Y M snort at ...15979...
Tue Jun 14 11:09:27 EDT 2016


Yes, as far as I understand. In a very abstract form, the policy is expressed in the "metadata" keyword within each rule using definitions such as balanced-ips, security-ips . This is how PulledPork can tell which rules to enable based on the selected policy. There is a one-to-one mapping of policies between the ruleset and PulledPork (not sure about the max-ips through).

YM

Sent from Mobile

_____________________________
From: Dan Roberts <danroberts2604 at ...11827...<mailto:danroberts2604 at ...13610...7...>>
Sent: Tuesday, June 14, 2016 5:24 PM
Subject: Re: [Snort-users] Snort rules
To: Y M <snort at ...15979...<mailto:snort at ...15979...>>


Thanks for the link :-)

I knew that with some dedicated tools (like Pulledpork) you can generate your set of rules based on: connectivity, balanced or security profile.

Does it mean that the package delivered by default by Snort for the registered users (snortrules-snapshot-xxx.tar.gz) provides the same set of rules (known as "Balanced Base Policy") as the balanced-one built by Pulledpork ?



On Tue, Jun 14, 2016 at 3:00 PM, Y M <snort at ...15979...<mailto:snort at ...16053...79...>> wrote:
Check this link: http://blog.snort.org/2013/10/snort-vrt-default-ruleset-rebalancing.html

YM

Sent from Mobile




On Tue, Jun 14, 2016 at 3:55 PM +0300, "Dan Roberts" <danroberts2604 at ...14540...27...<mailto:danroberts2604 at ...11827...>> wrote:

Hi all,

Does someone know what decides which rules are commented out (#) in the *.rules files contained in he snortrules-snapshot-29xx.tar.gz package?

Are they outdated ? So why do we keep them in the files ?

Thanks

Dan






-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20160614/15ce3b4f/attachment.html>


More information about the Snort-users mailing list