[Snort-users] VRT rules policy question

Joel Esler (jesler) jesler at ...589...
Wed Apr 5 13:16:47 EDT 2017


I agree.  But an issue needs to be raised in the pulledpork project.

--
Joel Esler | Talos: Manager | jesler at ...589...<mailto:jesler at ...589...>






On Apr 4, 2017, at 3:52 PM, Stanford Prescott <stan.prescott at ...11827...<mailto:stan.prescott at ...11827...>> wrote:

Thank you for your responses, Joel and Michael.

Perhaps I am oversimplifying this but, it seems to me that the emerging
threats rules could just be left alone. If someone wants to use the VRT
policies, they could be informed that ET doesn't participate in the
security policy settings and that the user should adjust their ET rules on
their own if they need to if they want to use the VRT rules policy and ET
rules together.

Maybe if it is felt that the ET rules need to be disabled, it would be
better to just remove the includes for the ET rules (comment them out) in
the snort.conf file instead of disabling each separate alert in each ET
rules file. That would make it somewhat easier for the user to re-enable
the ET rules files than having to uncomment each separate alert in the ET
rules files.

On Tue, Apr 4, 2017 at 1:50 PM, Joel Esler (jesler) <jesler at ...589...<mailto:jesler at ...589...>>
wrote:

I would imagine, because ET doesn’t use the policy features.

Sounds like you need to submit an issue to pulledpork:
https://github.com/shirkdog/pulledpork/issues


*--*
*Joel Esler *| *Talos:* Manager | jesler at ...589...






On Apr 4, 2017, at 12:42 PM, Stanford Prescott <stan.prescott at ...11827...>
wrote:

When using pulledpork and setting a VRT rules policy like connectivity,
balanced or security why are emerging threats rules disabled?

After selecting a security policy, if one were to want to return to no
security policy and re-enable the emerging threats rules, is there a quick
way to do that using pulledpork?
------------------------------------------------------------
------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest
Snort news!



------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org<http://Slashdot.org>! http://sdm.link/slashdot
_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net<mailto:Snort-users at lists.sourceforge.net>
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!



More information about the Snort-users mailing list