pulledpork icon indicating copy to clipboard operation
pulledpork copied to clipboard

Published 20 hours ago verified publisher icon shirkdog

Extra enable/disable step

Open GoogleCodeExporter opened this issue 9 years ago • 1 comments 

I thought I opened a bug on this, but looking back apparently I didn't...

The biggest problem I run into with PP is that there is only one
enable and one disable pass. You can pick what order they happen in
but you only get one shot at each state process. I think there needs
to be 3 state change steps.

Either:
disable, enable, disable
or
enable, disable, enable

The original rule files ship with some rules on and some rules off so,

Situation 1 - order: disable,enable

Using categories, you disable all rules except the "blacklist" and "botnet-cnc".
Using categories, you enable all the "blacklist" and "botnet-cnc" rules.
At this point you are stuck. There is no easy way to disable an
individual rule in either the "blacklist" or "botnet-cnc" rulesets.

Situation 2 - order: enable,disable
Using categories, you enable all the "blacklist" and "botnet-cnc" rules.
Using categories, you disable all rules except the "blacklist" and "botnet-cnc".
At this point you are stuck. There is no easy way to enable a handful
of rules from any of the other rulesets.

Fix: command line option to set the initial state of all rules

Fix 1 - order: --all-on, disable,enable

Turn everything on.
Using categories, you disable all rules except the "blacklist" and "botnet-cnc".
At this point, you are at the end state of both Situation 1&2, but you
have another enable step at your disposal. You can now enable a
handful of rules in other files if you want. This solves the problem
in Situation 2.

Fix 2 - order: --all-off, enable, disable

Turn everything off.
Using categories, you enable all the "blacklist" and "botnet-cnc".
At this point, you are at the end state of both Situation 1&2, but you
have another disable step at your disposal. You can now disable rules
in the "blacklist" and "botnet-cnc" sets if you want. Solves Situation
1. You could also enable a few rules in the other files with the
single enable step too. Solves Situation 2.

Looks like just adding an --all-off option is what is really needed.

Original issue reported on code.google.com by [email protected] on 29 Mar 2011 at 1:13

GoogleCodeExporter avatar Apr 23 '15 15:04 GoogleCodeExporter

Original comment by [email protected] on 7 Jun 2011 at 3:55

  • Added labels: Type-Enhancement
  • Removed labels: Type-Defect

GoogleCodeExporter avatar Apr 23 '15 15:04 GoogleCodeExporter