ruleman docs? about py-idstools HOT 6 CLOSED

Its a pretty crude rule management tool that I started as I wasn't happy with the workflow of the alternatives. I wouldn't call it finished, but its all I've used for the past couple years. I put together a basic usage example here: https://github.com/jasonish/py-idstools/wiki/Ruleman

The "output" is a file called snort.rules which you would then include in your snort.conf instead of all the individual rule, preproc_rule, and so_rule includes.

My current issue with the tool is it didn't quite end up where I wanted. More and more I want something backed by git, so I may take it that direction and give it a more git-like workflow. Also, using something like SQLite as the backend could really speed it up I think.

Anyways, if you are interested in such a tool, or about to work on your own you should really drop me an email.

from py-idstools.

It now makes more sense. I will email you if we proceed, as this is more of a command line tool whereas we are looking for something to embed as part of a rails app. Also, using idstools has worked great for indexing events into elasticsearch ... once we do some more testing it will be open sourced. Thanks.

from py-idstools.

Part of the idea of ruleman was to break out some code from an existing
tool I had into the idstools library for working with Snort rules. Some of
this code may still be under idstools.ruleman instead of the proper
library, but in time I plan to get that sorted out. Like idstools can
already help someone in creating their own Barnyard, I want idstools to
also make it more or less simple to create your own OinkMaster or
PulledPork.

A web based rule management tool is the scope of another I may be involved
with soon.

On Sat, Nov 1, 2014 at 8:43 AM, chris [email protected] wrote:

It now makes more sense. I will email you if we proceed, as this is more
of a command line tool whereas we are looking for something to embed as
part of a rails app. Also, using idstools has worked great for indexing
events into elasticsearch ... once we do some more testing it will be open
sourced. Thanks.

—
Reply to this email directly or view it on GitHub
#9 (comment).

from py-idstools.

Following the wiki, I get this:

idstools-ruleman update
error: unknown command: update
usage: idstools-ruleman <command> [args...]

Commands:

  fetch                Fetch rule sources
  source               Manage rule sources
  disable              Disable rules
  search               Search rules
  apply                Apply ruleset modifications and write
  config               Configuration commands
  dump-dynamic-rules   Dump dynamic rules

... should I use fetch instead of update ?

from py-idstools.

Update must only be in git master. A fetch followed by an apply is effectively the same as an update. I just combined them into a single command as it's the most commonly done operation after initial setup.

You can use the tool from a git checkout just by calling bin/idstools-ruleman directly from the working directory. It doesn't need to be installed - it'll pick up right idstools lib based on its execution location.

On Nov 1, 2014, at 9:15 AM, chris [email protected] wrote:

Following the wiki, I get this:

idstools-ruleman update
error: unknown command: update
usage: idstools-ruleman [args...]

Commands:

fetch Fetch rule sources
source Manage rule sources
disable Disable rules
search Search rules
apply Apply ruleset modifications and write
config Configuration commands
dump-dynamic-rules Dump dynamic rules
... should I use fetch instead of update ?

—
Reply to this email directly or view it on GitHub.

from py-idstools.

Thanks again.

from py-idstools.