[Snort-users] Snort rules

Joel Esler (jesler) jesler at ...589...
Tue Jun 14 18:34:30 EDT 2016


The “on off” state, by default, so equate, roughly, to balanced.  You have to adjust your posture from there.


--
Joel Esler
Manager, Talos Group




> On Jun 14, 2016, at 11:09 AM, Y M <snort at ...15979...> wrote:
> 
> Yes, as far as I understand. In a very abstract form, the policy is expressed in the "metadata" keyword within each rule using definitions such as balanced-ips, security-ips . This is how PulledPork can tell which rules to enable based on the selected policy. There is a one-to-one mapping of policies between the ruleset and PulledPork (not sure about the max-ips through).
> 
> YM
> 
> Sent from Mobile
> 
> _____________________________
> From: Dan Roberts <danroberts2604 at ...11827... <mailto:danroberts2604 at ...391...1827...>>
> Sent: Tuesday, June 14, 2016 5:24 PM
> Subject: Re: [Snort-users] Snort rules
> To: Y M <snort at ...15979... <mailto:snort at ...15979...>>
> 
> 
> Thanks for the link :-)
> 
> I knew that with some dedicated tools (like Pulledpork) you can generate your set of rules based on: connectivity, balanced or security profile.
> 
> Does it mean that the package delivered by default by Snort for the registered users (snortrules-snapshot-xxx.tar.gz) provides the same set of rules (known as "Balanced Base Policy") as the balanced-one built by Pulledpork ?
> 
> 
> 
> On Tue, Jun 14, 2016 at 3:00 PM, Y M <snort at ...15979... <mailto:snort at ...979...15979...>> wrote:
> Check this link: http://blog.snort.org/2013/10/snort-vrt-default-ruleset-rebalancing.html <http://blog.snort.org/2013/10/snort-vrt-default-ruleset-rebalancing.html>
> 
> YM
> 
> Sent from Mobile
> 
> 
> 
> 
> On Tue, Jun 14, 2016 at 3:55 PM +0300, "Dan Roberts" <danroberts2604 at ...391...1827... <mailto:danroberts2604 at ...11827...>> wrote:
> 
> Hi all,
> 
> Does someone know what decides which rules are commented out (#) in the *.rules files contained in he snortrules-snapshot-29xx.tar.gz package?
> 
> Are they outdated ? So why do we keep them in the files ?
> 
> Thanks
> 
> Dan
> 
> 
> 
> 
> 
> 
> ------------------------------------------------------------------------------
> What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic
> patterns at an interface-level. Reveals which users, apps, and protocols are
> consuming the most bandwidth. Provides multi-vendor support for NetFlow,
> J-Flow, sFlow and other flows. Make informed decisions using capacity
> planning reports. https://ad.doubleclick.net/ddm/clk/305295220;132659582;e_______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> 
> Please visit http://blog.snort.org to stay current on all the latest Snort news!

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20160614/b890ef21/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 163 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20160614/b890ef21/attachment.sig>


More information about the Snort-users mailing list