Re: oinkmaster

[Andreas Östling <andreaso () it su se>]

On Wed, 3 Dec 2003, Nicholas Bernstein wrote:

> It seems that oinkmaster.pl decided it's running with the -e option, as
> it is enabling all of the rules that I disable. As you can imagine, this
> makes for a *lot* of that snort it picking up, and generally makes
> maintenance a nightmare.
>
> I use includes in my snort.cf (i.e. include bad-traffic.rules). I'm
> running it as
>
>         "/usr/local/bin/oinkmaster.pl -q -b /etc/snort.last/ -o /etc/snort/"
>
> is there something I'm doing wrong?

It depends on what you mean by "rules that I disable".
When running Oinkmaster you must disable rules by adding "disablesid"
statements to oinkmaster.conf, not by editing the rules files
directly (see INSTALL and README for more info).
If you're a new Oinkmaster user you may find contrib/makesidex.pl useful.
It scans your rules files for disabled rules and outputs "disablesid"
statements for those so that you can easily add this to oinkmaster.conf.

If you mean that it worked before but these things just started happening
when switching version or something like that, please send me more
details.

/Andreas


-------------------------------------------------------
This SF.net email is sponsored by OSDN's Audience Survey.
Help shape OSDN's sites and tell us what you think. Take this
five minute survey and you could win a $250 Gift Certificate.
http://www.wrgsurveys.com/2003/osdntech03.php?site=8
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users