question/suggestion on so_rules about pulledpork HOT 8 CLOSED

Russel, 

part of the reason that I set it up to generate stubs from the so rules 
themselves was due to the configuration complexity behind using so rules, 
granted it's not overly complex if you are an avid SNORT user, but my concern 
was that people would attempt to enable so rules without proper snort.conf 
configuration and using the incorrect .so binaries.. doing it the way that I am 
forces validation and throws errors for users that have not properly done the 
aforementioned, make sense?

hmmm... how does this interact with dropping/ignoring do_rules in the Config?

Again, I have worked around this by moving to 64bit on the manager box -- same 
as the sensors.  

I now remember what else was bothering me about using snort to generate the 
stub rules from the binaries.   I can't do rule selection on a file basis.  
This occurred to me while writing up the include stuff for 35.

I am very close to getting my stuff all converted over to PP and I do now have 
a small perl script that will build the enable, modify, etc conf files from the 
oinkmaster file

Hmmm... will open a new issue and post it :)

you mean rule selection based on the associated so file with it's stub or?

This can now be accomplished using the state_order configuration directive in 
the master config file.  This allows you to specify the order of sid 
modification routines.. so an example would be to first disable an entire 
category and then enable individual rules out of that category by setting the 
order to

disable,drop,enable

The default order of operations is enable, drop, disable.

As I see it there are two issues: 

1/ categories != files.

    Files come with rules disabled by default and I hardly ever enable these.
    yes I can disable a whole category then enable those that I want but this 
    is very labour intensive and worse still I don't get new rules without altering 
    the config.  This is not an option for me
2/  While I want new rules in a selected category by default I dont want new
    categories load without some review.  So far as I can see you have to 
    explicitly exclude categories if you don't want them

What it boils down to is that I want to be able to specify which rules I load 
at the File level.  My include patch does this.

Some time next week I'll build a patch for this so you can see what I am about.

Issue 48 has been merged into this issue.