2

I am working with snort. I have included both latest community and registered rules in my snort configuration file. During run time I found many rules have duplicated, that is some rules available in both community and registered rules. Thus my snort ignoring old duplicated rules.Because of this snort takes much time to come up. How to ignore these duplication ? or shall I include registered rules only in my snort? . Is all snort community rules available in snort registered rules ?

Lakshmi Balan
  • 163
  • 1
  • 11

1 Answers1

4

Is all snort community rules available in snort registered rules ?

Yes. snort Registered ruleset contains the Community ruleset. Ref

or shall I include registered rules only in my snort?

It is recommended that you use both the Registered Ruleset and the community ruleset, if you are not going to become a subscriber. Ref

schroeder
  • 123,438
  • 55
  • 284
  • 319
rootkea
  • 156
  • 4
  • 1
    rootkea is right. Source: I am in charge of the rule sets and the website. – Joel Esler Oct 14 '16 at 23:24
  • 2
    If registered rulesets contain all community rules then why is it recommended to use both? It increases the running time of snort to remove duplicate rules. – Lakshmi Balan Oct 15 '16 at 08:52
  • 1
    @JoelEsler can answer it better about the recommendation of using both the Community Ruleset and Registered Ruleset even though snort Registered ruleset contains the Community ruleset. – rootkea Oct 19 '16 at 09:48
  • 1
    Any info on @LakshmiBalan's question? – Gabriel Rebello Apr 23 '18 at 17:17