Managing Rules

Rulesets are chosen during setup and are specified in /etc/nsm/pulledpork/pulledpork.conf. If you change the the configuration in pulledpork.conf, then you will need to run rule-update. If in a server/sensor deployment, run rule-update on the master first, then the sensor (or simply wait up to 15 minutes for it to be replicated).

Security Onion offers the following choices for rulesets to be used by Snort/Suricata.

ET Open

  • optimized for Suricata, but available for Snort as well
  • free
For more information, see:

ET Pro (Proofpoint)

  • optimized for Suricata, but available for Snort as well
  • rules retrievable as released
  • license fee per sensor

Snort Community

  • optimized for Snort
  • community-contributed rules
  • free

Snort Registered

  • optimized for Snort
  • Snort SO (Shared Object) rules will only work with Snort
  • same rules as Snort Subscriber ruleset, except rules only retrievable after 30 days past release
  • free

Snort Subscriber (Talos)

  • optimized for Snort
  • Snort SO (Shared Object) rules will only work with Snort
  • rules retrievable as released
  • license fee per sensor