snort-sigs February 2011 archive
Main Archive Page > Month Archives  > snort-sigs archives
snort-sigs: Re: [Snort-sigs] oinkmaster and so rules.. FAQ broke

Re: [Snort-sigs] oinkmaster and so rules.. FAQ broken?

From: JJC <cummingsj_at_nospam>
Date: Wed Feb 09 2011 - 14:38:23 GMT
To: Michael Scheidell <michael.scheidell@secnap.com>

On Wed, Feb 9, 2011 at 3:01 AM, Michael Scheidell
<michael.scheidell@secnap.com> wrote:
> On 2/8/11 9:40 PM, waldo kitty wrote:
>
> one such reason that i'm aware, and i think i have talked with the
> pulledpork
> maintainer about it, is the merging of all rules files into one rules
> file...
>
> your serious?
>
> if that is the case, then I won't even look at pulled port.
> we have multiple snorts running in multiple hosts.
> on one host, one snort_lan.conf could have different rulesets than
> snort_wan.conf.
>
> that makes pulled pork a real pig in a poke.
>
>
> --
> Michael Scheidell, CTO
> o: 561-999-5000
> d: 561-948-2259
> ISN: 1259*1300
>> | SECNAP Network Security Corporation
>
> Certified SNORT Integrator
> 2008-9 Hot Company Award Winner, World Executive Alliance
> Five-Star Partner Program 2009, VARBusiness
> Best in Email Security,2010: Network Products Guide
> King of Spam Filters, SC Magazine 2008
>
> ________________________________
>
> This email has been scanned and certified safe by SpammerTrap®.
> For Information please see http://www.secnap.com/products/spammertrap/
>
> ________________________________
>
> ------------------------------------------------------------------------------
> The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio XE:
> Pinpoint memory and threading errors before they happen.
> Find and fix more than 250 security defects in the development cycle.
> Locate bottlenecks in serial and parallel code that limit performance.
> http://p.sf.net/sfu/intel-dev2devfeb
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> http://www.snort.org
>
>

A couple quick notes here for clarity:

1: PP does write to a single unified output file to aide in
simplifying snort configuration, the idea is that you use PP to manage
the rulestate and inclusion of all rulesets in this file. You can
still have multiple snorts running multiple disparate rulesets, again,
the rule inclusion / state is simply managed by PP rather than
commenting / uncommenting in your master snort.conf.

2: The source rules file name already exists in the data structure at
%ruleshash{gid}{sid}{rulesfilenameishere}, this has existed in the
data structure for some time now!. As such, and by design, it would
be trivial for someone to use this data to write individual rules
files back out from PP and this is a slated enhancement to PP. Having
said that, I still advocate using a single rules file as it can
dramatically reduce the complexity needed to run / tune your snort
deployment. This does not apply to gid:3 stub rules though, they will
still be written to a single output file.

I certainly welcome any contribution to the tool such as the aforementioned :-)

------------------------------------------------------------------------------
The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio XE:
Pinpoint memory and threading errors before they happen.
Find and fix more than 250 security defects in the development cycle.
Locate bottlenecks in serial and parallel code that limit performance.
http://p.sf.net/sfu/intel-dev2devfeb
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org