[Snort-users] VRT rules policy question

Stanford Prescott stan.prescott at ...11827...
Tue Apr 4 15:52:01 EDT 2017


Thank you for your responses, Joel and Michael.

Perhaps I am oversimplifying this but, it seems to me that the emerging
threats rules could just be left alone. If someone wants to use the VRT
policies, they could be informed that ET doesn't participate in the
security policy settings and that the user should adjust their ET rules on
their own if they need to if they want to use the VRT rules policy and ET
rules together.

Maybe if it is felt that the ET rules need to be disabled, it would be
better to just remove the includes for the ET rules (comment them out) in
the snort.conf file instead of disabling each separate alert in each ET
rules file. That would make it somewhat easier for the user to re-enable
the ET rules files than having to uncomment each separate alert in the ET
rules files.

On Tue, Apr 4, 2017 at 1:50 PM, Joel Esler (jesler) <jesler at ...589...>
wrote:

> I would imagine, because ET doesn’t use the policy features.
>
> Sounds like you need to submit an issue to pulledpork:
> https://github.com/shirkdog/pulledpork/issues
>
>
> *--*
> *Joel Esler *| *Talos:* Manager | jesler at ...589...
>
>
>
>
>
>
> On Apr 4, 2017, at 12:42 PM, Stanford Prescott <stan.prescott at ...11827...>
> wrote:
>
> When using pulledpork and setting a VRT rules policy like connectivity,
> balanced or security why are emerging threats rules disabled?
>
> After selecting a security policy, if one were to want to return to no
> security policy and re-enable the emerging threats rules, is there a quick
> way to do that using pulledpork?
> ------------------------------------------------------------
> ------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
>
>
>



More information about the Snort-users mailing list