Re: [Snort-users] updating snort rules with oinkmaster
This is a discussion on Re: [Snort-users] updating snort rules with oinkmaster within the Snort forums, part of the System Security and Security Related category; Hello, To answer your question, there is currently no I-modified-this-rule-so-never-auto-update-it-again feature. ...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
06-02-2004
|
|||
|
|||
Re: [Snort-users] updating snort rules with oinkmaster
Hello, To answer your question, there is currently no I-modified-this-rule-so-never-auto-update-it-again feature. I tried to explain this in the FAQ (Q16/A16 at http://oinkmaster.sourceforge.net/faq.shtml). My experience is that such a feature can very easily give you lots of rules that simply don't get maintained anymore just because you once modified some detail in them (which you usually forget or don't care about after a while). When using Oinkmaster you could always put heavily customized rules in some local rules file and then disable the original rule. For minor tweaks (such as modifying the priority) I prefer to use 'modifysid' to apply the modification after each rules update instead. This way, if the official/original rule gets updated, you still get the new version of the rule while your tweak would still be applied (as long as the regexp still matches of course, but you will get a warning if it doesn't). Another important point is that this is kind of self-documenting, and the modifysid stuff will hopefully be much easier in 1.1 as well. The feature you asked about could probably be implemented but I never cared to do it as I wouldn't use it myself. But of course, these are just my personal opinions so any suggestions/patches are always appreciated. /Andreas On Wed, 2 Jun 2004 Pascal.Dubach@swisscom.com wrote: > Hello, > > I am trying to update my snort rules, and this works fine. > But I have changed the priorities of some rules in some rule-files. > If I just update all the snort rules, the customized ones will be > overwritten. > Is there any possibility not to update these rules? If I just disable > the sid, the rules wouldn't be active anymore, but I want to log the > alerts on > the server, so they have to be active. > > thx and Kind Regards, > Pascal ------------------------------------------------------- This SF.Net email is sponsored by the new InstallShield X. From Windows to Linux, servers to mobile, InstallShield X is the one installation-authoring solution that does it all. Learn more and evaluate today! http://www.installshield.com/Dev2Dev/0504 _______________________________________________ Snort-users mailing list Snort-users@lists.sourceforge.net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/...fo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.p...st=snort-users 
|
Linear Mode
