>
> What is a Monolithic rules file? Meir has great instructions on how
> to create one. Is it simply a compiled file made from all of the rule
> files? Seems like a good idea for a production system but a lot of
> bother for a system used for rule development.
>
I believe this is just a way to have all of your rules in one file.
It's still XML/text, but is all contained in one file ass opposed to
being split up. Being a long time snort user, I, personally, am
accustomed to having the rules split up and don't see the value in
having one file.
Compile rules scenario 1
you want to edit some rules xml file but keep the original. if you edit the file in rules, it will be gone for good.
if you use compile rules, you unlink the file from signatures, copy over the file there and edit the instance.
Compile rules scenario 2
you want to deploy different configurations for multiple ossec servers.
run compile rules each time with different sources and diff dest file.
you can centrally build multiple confs and deploy multiple servers
Compile scenario 3
using separated dirs for ossec rules and user defined rules.
Compile scenario 4
Add new rules files without altering any configuration file
Compile rules is a working idea. I could modify it to do all what I said and instead of generating a monolitic file, I could write back separated files. There is also some advantages of using a file per rule.
Compile rules does two things and some ppl may like part of it. Personally I get a lot of use of it by the way I administer the rules. YMMV
Feedback ?
