Re: [Snort-users] ignore bad rule on startup
This is a discussion on Re: [Snort-users] ignore bad rule on startup within the Snort forums, part of the System Security and Security Related category; In short, no. Snort will find the bad rule and exit. It will not 'keep going' if it finds a ...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
07-19-2006
|
|||
|
|||
Re: [Snort-users] ignore bad rule on startup
In short, no. Snort will find the bad rule and exit. It will not 'keep going' if it finds a bad rule.
Joel On Wed, Jul 19, 2006 at 06:13:46PM -0400, kakomon sent me: > yes i understand this, however, what if a new 'bad' rule with a new sid > would be committed ? > > thank you all > .mike > > > > On Wed, 2006-07-19 at 17:57 +0200, Klein, Jeremie wrote: > > Hi, > > > > Oinkmaster can modify the rules on the fly just after downloading. > > You have to configure him as explained in the example. It is based on Sids, so you just can tell to oinkmaster to comment out your rule given a sid. > > > > -----Message d'origine----- > > De : snort-users-bounces@lists.sourceforge.net [mailto:snort-users-bounces@lists.sourceforge.net] De la part de kakomon > > Envoy? : mercredi 19 juillet 2006 23:52 > > ? : snort-users@lists.sourceforge.net > > Objet : Re: [Snort-users] ignore bad rule on startup > > > > Thank you for your answer Paul > > however i'm asking if there is an option, an argument, a switch or > > something, to make snort skip eventual garbage during startup > > > > i've seen snort refusing to start due a 'fwsam' directive in some > > bleedingedge rules, like the file 'bleeding-dshield-BLOCK.rules' > > > > or, for example, if it finds two rules with the same SID > > > > i'll like to know if the behaviour could be to simply skip those rules > > > > this would provide me to auto-download the rules, > > maybe with oinkmaster > > > > now it's not possible because if a new rules update could breaks snort, > > it will not startup anymore > > > > think about the disaster if snort is inline: > > all the traffic would be waiting in queue ! > > > > thank you very much for your time > > .mike > > > > > > On Wed, 2006-07-19 at 10:21 -0500, Paul Schmehl wrote: > > > kakomon wrote: > > > > Hi all ! > > > > i've just subscribed this list and here comes the first question: > > > > is there a way to make snort ignore a bad rule on startup, instead of > > > > throwing an error and don't start at all ? > > > > > > > Sure. Just comment the rule out. > > > > > > > > > ------------------------------------------------------------------------- > > Take Surveys. Earn Cash. Influence the Future of IT > > Join SourceForge.net's Techsay panel and you'll get the chance to share your > > opinions on IT & business topics through brief surveys -- and earn cash > > http://www.techsay.com/default.php?p...rge&CID=DEVDEV > > _______________________________________________ > > Snort-users mailing list > > Snort-users@lists.sourceforge.net > > Go to this URL to change user options or unsubscribe: > > https://lists.sourceforge.net/lists/...fo/snort-users > > Snort-users list archive: > > http://www.geocrawler.com/redir-sf.p...st=snort-users > > > > ------------------------------------------------------------------------- > > Take Surveys. Earn Cash. Influence the Future of IT > > Join SourceForge.net's Techsay panel and you'll get the chance to share your > > opinions on IT & business topics through brief surveys -- and earn cash > > http://www.techsay.com/default.php?p...rge&CID=DEVDEV > > _______________________________________________ > > Snort-users mailing list > > Snort-users@lists.sourceforge.net > > Go to this URL to change user options or unsubscribe: > > https://lists.sourceforge.net/lists/...fo/snort-users > > Snort-users list archive: > > http://www.geocrawler.com/redir-sf.p...st=snort-users > > > ------------------------------------------------------------------------- > Take Surveys. Earn Cash. Influence the Future of IT > Join SourceForge.net's Techsay panel and you'll get the chance to share your > opinions on IT & business topics through brief surveys -- and earn cash > http://www.techsay.com/default.php?p...rge&CID=DEVDEV > _______________________________________________ > Snort-users mailing list > Snort-users@lists.sourceforge.net > Go to this URL to change user options or unsubscribe: > https://lists.sourceforge.net/lists/...fo/snort-users > Snort-users list archive: > http://www.geocrawler.com/redir-sf.p...st=snort-users > +---------------------------------------------------------------------+ Joel Esler Senior Security Consultant 1-706-627-2101 Sourcefire Security for the /Real/ World -- http://www.sourcefire.com Snort - Open Source Network IPS/IDS -- http://www.snort.org GPG Key: http://demo.sourcefire.com/jesler.pgp.key AIM:eslerjoel YMSG:eslerjoel Gtalk:eslerj +---------------------------------------------------------------------+ ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys -- and earn cash http://www.techsay.com/default.php?p...rge&CID=DEVDEV _______________________________________________ Snort-users mailing list Snort-users@lists.sourceforge.net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/...fo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.p...st=snort-users 
|
Linear Mode
