Comments (8)
Russel,
part of the reason that I set it up to generate stubs from the so rules
themselves was due to the configuration complexity behind using so rules,
granted it's not overly complex if you are an avid SNORT user, but my concern
was that people would attempt to enable so rules without proper snort.conf
configuration and using the incorrect .so binaries.. doing it the way that I am
forces validation and throws errors for users that have not properly done the
aforementioned, make sense?
Original comment by [email protected]
on 20 Oct 2010 at 5:04
from pulledpork.
Original comment by [email protected]
on 20 Oct 2010 at 5:19
- Added labels: Priority-Low, Type-Enhancement
- Removed labels: Priority-Medium, Type-Defect
from pulledpork.
hmmm... how does this interact with dropping/ignoring do_rules in the Config?
Again, I have worked around this by moving to 64bit on the manager box -- same
as the sensors.
Original comment by [email protected]
on 20 Oct 2010 at 8:54
from pulledpork.
I now remember what else was bothering me about using snort to generate the
stub rules from the binaries. I can't do rule selection on a file basis.
This occurred to me while writing up the include stuff for 35.
I am very close to getting my stuff all converted over to PP and I do now have
a small perl script that will build the enable, modify, etc conf files from the
oinkmaster file
Hmmm... will open a new issue and post it :)
Original comment by [email protected]
on 20 Oct 2010 at 9:07
from pulledpork.
you mean rule selection based on the associated so file with it's stub or?
Original comment by [email protected]
on 20 Oct 2010 at 11:29
from pulledpork.
This can now be accomplished using the state_order configuration directive in
the master config file. This allows you to specify the order of sid
modification routines.. so an example would be to first disable an entire
category and then enable individual rules out of that category by setting the
order to
disable,drop,enable
The default order of operations is enable, drop, disable.
Original comment by [email protected]
on 21 Oct 2010 at 3:09
- Changed state: Fixed
from pulledpork.
As I see it there are two issues:
1/ categories != files.
Files come with rules disabled by default and I hardly ever enable these.
yes I can disable a whole category then enable those that I want but this
is very labour intensive and worse still I don't get new rules without altering
the config. This is not an option for me
2/ While I want new rules in a selected category by default I dont want new
categories load without some review. So far as I can see you have to
explicitly exclude categories if you don't want them
What it boils down to is that I want to be able to specify which rules I load
at the File level. My include patch does this.
Some time next week I'll build a patch for this so you can see what I am about.
Original comment by [email protected]
on 21 Oct 2010 at 8:57
from pulledpork.
Issue 48 has been merged into this issue.
Original comment by [email protected]
on 8 Nov 2010 at 3:52
from pulledpork.
Related Issues (20)
- how to resolve No Match? HOT 1
- Unable to pull down emergingthreatspro rules list HOT 8
- Unable to download Suricata rules HOT 2
- Version 8 - Error: does not exist, please create this directory HOT 15
- Barnyard2 hangs on the sid file created with pulledpork using: sid_msg_version=2 HOT 3
- snort.rules not created HOT 4
- Windows path issue when running pulledpork
- Modifysid doesn't modify rules HOT 5
- 422 Unprocessable Entity HOT 6
- ERROR: can't set --dump-dynamic-rules /tmp/tha_rules/so_rules/ and no rules are being imported. HOT 10
- Unknown regexp modifier HOT 5
- Unable to process shared object rules for a previous version of snort3 HOT 2
- Snort3 - 422 Unprocessable Entity when trying to download rules HOT 3
- An error occurred: ERROR: /etc/snort//etc/snort/rules/app-detect.rules(0) Unable to open rules file "/etc/snort//etc/snort/rules/app-detect.rules": No such file or directory. HOT 1
- This is happening in Windows with latest release
- a lots of errors HOT 1
- Issuing reputation socket reload command - (Error) ?
- few of rules downloaded HOT 3
- IP Blocklists are not processed when -n flag is set
- Dolibarr v17.02 - Receipt Printer Issue HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from pulledpork.