[Snort-users] VRT rules policy question

wkitty42 at ...14940... wkitty42 at ...14940...
Wed Apr 5 11:30:50 EDT 2017


On 04/04/2017 03:52 PM, Stanford Prescott wrote:
> Maybe if it is felt that the ET rules need to be disabled, it would be better
> to just remove the includes for the ET rules (comment them out) in the
> snort.conf file instead of disabling each separate alert in each ET rules
> file. That would make it somewhat easier for the user to re-enable the ET
> rules files than having to uncomment each separate alert in the ET rules
> files.


it would also make it faster for the updates as well as retaining the existing 
enabled/disabled rules in the ET files... if PP is marking each individual ET 
rule as disabled, that loses the existing configuration and it will be very hard 
for the user to return to using the ET rules in at least their default as 
distributed condition...


-- 
  NOTE: No off-list assistance is given without prior approval.
        *Please keep mailing list traffic on the list* unless
        private contact is specifically requested and granted.




More information about the Snort-users mailing list