Re: [Snort-users] ignore bad rule on startup
This is a discussion on Re: [Snort-users] ignore bad rule on startup within the Snort forums, part of the System Security and Security Related category; There is currently no way to do what your asking. The reason for this = is snort parses the rules keyword ...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
07-19-2006
|
|||
|
|||
Re: [Snort-users] ignore bad rule on startup
There is currently no way to do what your asking. The reason for this =
is snort parses the rules keyword by keyword. It doesn't parse the = rule, validate the rule, and then load the rule into the opt tree node. Cheers, -matt kakomon wrote: > yes i understand this, however, what if a new 'bad' rule with a new sid > would be committed ? > = > thank you all > .mike > = > = > = > On Wed, 2006-07-19 at 17:57 +0200, Klein, Jeremie wrote: > = >>Hi, >> >>Oinkmaster can modify the rules on the fly just after downloading. >>You have to configure him as explained in the example. It is based on Sid= s, so you just can tell to oinkmaster to comment out your rule given a sid. >> >>-----Message d'origine----- >>De : snort-users-bounces@lists.sourceforge.net [mailto:snort-users-bounce= s@lists.sourceforge.net] De la part de kakomon >>Envoy=E9 : mercredi 19 juillet 2006 23:52 >>=C0 : snort-users@lists.sourceforge.net >>Objet : Re: [Snort-users] ignore bad rule on startup >> >>Thank you for your answer Paul >>however i'm asking if there is an option, an argument, a switch or >>something, to make snort skip eventual garbage during startup >> >>i've seen snort refusing to start due a 'fwsam' directive in some >>bleedingedge rules, like the file 'bleeding-dshield-BLOCK.rules' >> >>or, for example, if it finds two rules with the same SID >> >>i'll like to know if the behaviour could be to simply skip those rules >> >>this would provide me to auto-download the rules, >>maybe with oinkmaster >> >>now it's not possible because if a new rules update could breaks snort, >>it will not startup anymore >> >>think about the disaster if snort is inline: >>all the traffic would be waiting in queue ! >> >>thank you very much for your time >>.mike >> >> >>On Wed, 2006-07-19 at 10:21 -0500, Paul Schmehl wrote: >> >>>kakomon wrote: >>> >>>>Hi all ! >>>>i've just subscribed this list and here comes the first question: >>>>is there a way to make snort ignore a bad rule on startup, instead of >>>>throwing an error and don't start at all ? >>>> >>> >>>Sure. Just comment the rule out. >>> >> >> >>------------------------------------------------------------------------- >>Take Surveys. Earn Cash. Influence the Future of IT >>Join SourceForge.net's Techsay panel and you'll get the chance to share y= our >>opinions on IT & business topics through brief surveys -- and earn cash >>http://www.techsay.com/default.php?p...eforge&CID=3D= DEVDEV >>______________________________________________ _ >>Snort-users mailing list >>Snort-users@lists.sourceforge.net >>Go to this URL to change user options or unsubscribe: >>https://lists.sourceforge.net/lists/...fo/snort-users >>Snort-users list archive: >>http://www.geocrawler.com/redir-sf.p...=3Dsnort-users >> >>------------------------------------------------------------------------- >>Take Surveys. Earn Cash. Influence the Future of IT >>Join SourceForge.net's Techsay panel and you'll get the chance to share y= our >>opinions on IT & business topics through brief surveys -- and earn cash >>http://www.techsay.com/default.php?p...eforge&CID=3D= DEVDEV >>______________________________________________ _ >>Snort-users mailing list >>Snort-users@lists.sourceforge.net >>Go to this URL to change user options or unsubscribe: >>https://lists.sourceforge.net/lists/...fo/snort-users >>Snort-users list archive: >>http://www.geocrawler.com/redir-sf.p...=3Dsnort-users > = > = > = > ------------------------------------------------------------------------- > Take Surveys. Earn Cash. Influence the Future of IT > Join SourceForge.net's Techsay panel and you'll get the chance to share y= our > opinions on IT & business topics through brief surveys -- and earn cash > http://www.techsay.com/default.php?p...eforge&CID=3D= DEVDEV > _______________________________________________ > Snort-users mailing list > Snort-users@lists.sourceforge.net > Go to this URL to change user options or unsubscribe: > https://lists.sourceforge.net/lists/...fo/snort-users > Snort-users list archive: > http://www.geocrawler.com/redir-sf.p...=3Dsnort-users > = ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys -- and earn cash http://www.techsay.com/default.php?p...orge&CID=3DDE= VDEV _______________________________________________ Snort-users mailing list Snort-users@lists.sourceforge.net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/...fo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.p...=3Dsnort-users 
|
Linear Mode
