[prev in list] [next in list] [prev in thread] [next in thread]
List: snort-users
Subject: Re: [Snort-users] Snort rules
From: "Joel Esler (jesler)" <jesler () cisco ! com>
Date: 2016-06-14 22:34:30
Message-ID: 408960ED-5F93-4F6F-9B29-9D803C6C57B4 () cisco ! com
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
The "on off" state, by default, so equate, roughly, to balanced. You have to adjust \
your posture from there.
--
Joel Esler
Manager, Talos Group
> On Jun 14, 2016, at 11:09 AM, Y M <snort@outlook.com> wrote:
>
> Yes, as far as I understand. In a very abstract form, the policy is expressed in \
> the "metadata" keyword within each rule using definitions such as balanced-ips, \
> security-ips . This is how PulledPork can tell which rules to enable based on the \
> selected policy. There is a one-to-one mapping of policies between the ruleset and \
> PulledPork (not sure about the max-ips through).
> YM
>
> Sent from Mobile
>
> _____________________________
> From: Dan Roberts <danroberts2604@gmail.com <mailto:danroberts2604@gmail.com>>
> Sent: Tuesday, June 14, 2016 5:24 PM
> Subject: Re: [Snort-users] Snort rules
> To: Y M <snort@outlook.com <mailto:snort@outlook.com>>
>
>
> Thanks for the link :-)
>
> I knew that with some dedicated tools (like Pulledpork) you can generate your set \
> of rules based on: connectivity, balanced or security profile.
> Does it mean that the package delivered by default by Snort for the registered \
> users (snortrules-snapshot-xxx.tar.gz) provides the same set of rules (known as \
> "Balanced Base Policy") as the balanced-one built by Pulledpork ?
>
>
> On Tue, Jun 14, 2016 at 3:00 PM, Y M <snort@outlook.com <mailto:snort@outlook.com>> \
> wrote: Check this link: \
> http://blog.snort.org/2013/10/snort-vrt-default-ruleset-rebalancing.html \
> <http://blog.snort.org/2013/10/snort-vrt-default-ruleset-rebalancing.html>
> YM
>
> Sent from Mobile
>
>
>
>
> On Tue, Jun 14, 2016 at 3:55 PM +0300, "Dan Roberts" <danroberts2604@gmail.com \
> <mailto:danroberts2604@gmail.com>> wrote:
> Hi all,
>
> Does someone know what decides which rules are commented out (#) in the *.rules \
> files contained in he snortrules-snapshot-29xx.tar.gz package?
> Are they outdated ? So why do we keep them in the files ?
>
> Thanks
>
> Dan
>
>
>
>
>
>
> ------------------------------------------------------------------------------
> What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic
> patterns at an interface-level. Reveals which users, apps, and protocols are
> consuming the most bandwidth. Provides multi-vendor support for NetFlow,
> J-Flow, sFlow and other flows. Make informed decisions using capacity
> planning reports. https://ad.doubleclick.net/ddm/clk/305295220;132659582;e_______________________________________________
> Snort-users mailing list
> Snort-users@lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest Snort news!
[Attachment #5 (unknown)]
<html><head><meta http-equiv="Content-Type" content="text/html \
charset=utf-8"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; \
-webkit-line-break: after-white-space;" class="">The "on off" state, by default, so \
equate, roughly, to balanced. You have to adjust your posture from there.<div \
class=""><br class=""></div><div class=""><br class=""><div class=""> <div \
style="color: rgb(0, 0, 0); letter-spacing: normal; orphans: auto; text-align: start; \
text-indent: 0px; text-transform: none; white-space: normal; widows: auto; \
word-spacing: 0px; -webkit-text-stroke-width: 0px; word-wrap: break-word; \
-webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class=""><div \
style="color: rgb(0, 0, 0); letter-spacing: normal; orphans: auto; text-align: start; \
text-indent: 0px; text-transform: none; white-space: normal; widows: auto; \
word-spacing: 0px; -webkit-text-stroke-width: 0px; word-wrap: break-word; \
-webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class=""><div \
style="margin: 0px; line-height: normal; font-family: 'Lucida Grande';" \
class="">--</div><div style="margin: 0px; line-height: normal; font-family: 'Lucida \
Grande';" class=""><b class="">Joel Esler</b></div><div style="margin: 0px; \
line-height: normal; font-family: 'Lucida Grande';" class="">Manager, Talos \
Group</div><div style="margin: 0px; line-height: normal; font-family: 'Helvetica \
Neue';" class=""><br class=""></div></div></div><br \
class="Apple-interchange-newline"><br class="Apple-interchange-newline"> </div>
<br class=""><div style=""><blockquote type="cite" class=""><div class="">On Jun 14, \
2016, at 11:09 AM, Y M <<a href="mailto:snort@outlook.com" \
class="">snort@outlook.com</a>> wrote:</div><br \
class="Apple-interchange-newline"><div class=""> <meta http-equiv="Content-Type" \
content="text/html; charset=us-ascii" class="">
<div class="">
<div id="compose" style="padding-left: 16px; padding-right: 16px; padding-bottom: \
8px;" class="" applecontenteditable="true"> <div class="">Yes, as far as I \
understand. In a very abstract form, the policy is expressed in the "metadata" \
keyword within each rule using definitions such as balanced-ips, security-ips . This \
is how PulledPork can tell which rules to enable based on the selected policy. There \
is a one-to-one mapping of policies between the ruleset and PulledPork (not sure \
about the max-ips through).</div> <div class=""><br class="">
</div>
<div class="">YM<br class="">
<br class="">
<div class="acompli_signature">Sent from Mobile</div>
<br class="">
</div>
</div>
<div class="gmail_quote">_____________________________<br class="">
From: Dan Roberts <<a dir="ltr" href="mailto:danroberts2604@gmail.com" \
x-apple-data-detectors="true" x-apple-data-detectors-type="link" \
x-apple-data-detectors-result="0" class="">danroberts2604@gmail.com</a>><br \
class="">
Sent: Tuesday, June 14, 2016 5:24 PM<br class="">
Subject: Re: [Snort-users] Snort rules<br class="">
To: Y M <<a dir="ltr" href="mailto:snort@outlook.com" \
x-apple-data-detectors="true" x-apple-data-detectors-type="link" \
x-apple-data-detectors-result="1" class="">snort@outlook.com</a>><br class=""> <br \
class=""> <br class="">
<meta content="text/html; charset=utf-8" class="">
<div dir="ltr" class="">
<div class="">Thanks for the link :-)</div>
<div class=""><br class="">
</div>
<div class="">
<div class="">I knew that with some dedicated tools (like Pulledpork) you \
can generate your set of rules based on: connectivity, balanced or security \
profile.</div> </div>
<div class=""><br class="">
</div>
<div class="">Does it mean that the package delivered by default \
by Snort for the registered users \
(snortrules-snapshot-xxx.tar.gz) provides the same set of rules (known as \
"Balanced Base Policy") as the balanced-one built by Pulledpork ?</div> <div \
class=""><br class=""> </div>
<div class=""><br class="">
</div>
</div>
<div class="gmail_extra"><br class="">
<div class="gmail_quote">On Tue, Jun 14, 2016 at 3:00 PM, Y M <span dir="ltr" \
class=""><<a href="mailto:snort@outlook.com" \
class="">snort@outlook.com</a>></span> wrote:<br class=""> <blockquote \
class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc \
solid;padding-left:1ex"> <div class="">
<div class="">Check this link: <a \
href="http://blog.snort.org/2013/10/snort-vrt-default-ruleset-rebalancing.html" \
class=""> http://blog.snort.org/2013/10/snort-vrt-default-ruleset-rebalancing.html</a></div>
<div class=""><br class="">
</div>
<div class="">YM<br class="">
<br class="">
<div class="">Sent from Mobile</div>
<br class="">
</div>
<div class="">
<div class="h5"><br class="">
<br class="">
<br class="">
<div class="gmail_quote">On Tue, Jun 14, 2016 at 3:55 PM +0300, "Dan Roberts" <span \
dir="ltr" class=""> <<a href="mailto:danroberts2604@gmail.com" \
class="">danroberts2604@gmail.com</a>></span> wrote:<br class=""> <br class="">
</div>
<div class="">
<div dir="ltr" class="">
<div class="">Hi all,</div>
<div class=""><br class="">
</div>
<div class="">Does someone know what decides which rules are commented out (#) \
in the *.rules files contained in he snortrules-snapshot-29xx.tar.gz package?</div> \
<div class=""><br class=""> </div>
<div class="">Are they outdated ? So why do we keep them in the files ?</div>
<div class=""><br class="">
</div>
<div class="">Thanks</div>
<div class=""><br class="">
</div>
<div class="">Dan</div>
<div class=""><br class="">
</div>
<div class=""><br class="">
</div>
<div class=""><br class="">
</div>
</div>
</div>
</div>
</div>
</div>
</blockquote>
</div>
<br class="">
</div>
<br class="">
<br class="">
</div>
</div>
------------------------------------------------------------------------------<br \
class="">What NetFlow Analyzer can do for you? Monitors network bandwidth and \
traffic<br class="">patterns at an interface-level. Reveals which users, apps, and \
protocols are <br class="">consuming the most bandwidth. Provides multi-vendor \
support for NetFlow, <br class="">J-Flow, sFlow and other flows. Make informed \
decisions using capacity <br class="">planning reports. <a \
href="https://ad.doubleclick.net/ddm/clk/305295220;132659582;e_______________________________________________" \
class="">https://ad.doubleclick.net/ddm/clk/305295220;132659582;e_______________________________________________</a><br \
class="">Snort-users mailing list<br class=""><a \
href="mailto:Snort-users@lists.sourceforge.net" \
class="">Snort-users@lists.sourceforge.net</a><br class="">Go to this URL to change \
user options or unsubscribe:<br \
class="">https://lists.sourceforge.net/lists/listinfo/snort-users<br \
class="">Snort-users list archive:<br \
class="">http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users<br \
class=""><br class="">Please visit http://blog.snort.org to stay current on all the \
latest Snort news!</div></blockquote></div><br class=""></div></body></html>
["signature.asc" (signature.asc)]
-----BEGIN PGP SIGNATURE-----
iEYEARECAAYFAldghnUACgkQXcGOvXe9qC7LbgCgnZ1rGyI4qVV96BlzhESL4y65
4jYAoLOnLIhGnWGwDQij5EVm2lRhf39/
=K5Vq
-----END PGP SIGNATURE-----
[Attachment #7 (--===============2427459677183454773==)]
------------------------------------------------------------------------------
What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic
patterns at an interface-level. Reveals which users, apps, and protocols are
consuming the most bandwidth. Provides multi-vendor support for NetFlow,
J-Flow, sFlow and other flows. Make informed decisions using capacity planning
reports. http://pubads.g.doubleclick.net/gampad/clk?id=1444514421&iu=/41014381
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
Please visit http://blog.snort.org to stay current on all the latest Snort news!
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic