Snort mailing list archives
Re: oinkmaster
From: Andreas Östling <andreaso () it su se>
Date: Wed, 3 Dec 2003 23:28:02 +0100 (CET)
On Wed, 3 Dec 2003, Nicholas Bernstein wrote:
It seems that oinkmaster.pl decided it's running with the -e option, as it is enabling all of the rules that I disable. As you can imagine, this makes for a *lot* of that snort it picking up, and generally makes maintenance a nightmare. I use includes in my snort.cf (i.e. include bad-traffic.rules). I'm running it as "/usr/local/bin/oinkmaster.pl -q -b /etc/snort.last/ -o /etc/snort/" is there something I'm doing wrong?
It depends on what you mean by "rules that I disable". When running Oinkmaster you must disable rules by adding "disablesid" statements to oinkmaster.conf, not by editing the rules files directly (see INSTALL and README for more info). If you're a new Oinkmaster user you may find contrib/makesidex.pl useful. It scans your rules files for disabled rules and outputs "disablesid" statements for those so that you can easily add this to oinkmaster.conf. If you mean that it worked before but these things just started happening when switching version or something like that, please send me more details. /Andreas ------------------------------------------------------- This SF.net email is sponsored by OSDN's Audience Survey. Help shape OSDN's sites and tell us what you think. Take this five minute survey and you could win a $250 Gift Certificate. http://www.wrgsurveys.com/2003/osdntech03.php?site=8 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- oinkmaster Nicholas Bernstein (Dec 03)
- Re: oinkmaster Andreas Östling (Dec 03)
- <Possible follow-ups>
- re: oinkmaster adam_peterson (Dec 03)