Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: oinkmaster.conf enterred disablesid - get enbalbed

From: Andreas Östling <andreaso () it su se>
Date: Tue, 16 Dec 2003 22:42:15 +0100 (CET)

On Tue, 16 Dec 2003, Snortty wrote:


I tried to diable some rules by put # in frot of the
rule (here is in the icmp.rule file), and enter it in
the oinkmaster.conf at the bottom of the file as: 

disablesid 485

Then, I just run it simply:

oinkmaster-0.8# oinkmaster.pl -o
/snort/snort-2.0.1/rules/

to see if the change in rule.icmp will be overwritten.


It got overwritten after I run it, and output shows: 

...

It sounds like you're doing it right, so the only theory I can come up 
with right now is that you're editing a different oinkmaster.conf than the 
one Oinkmaster is using (/usr/local/etc/oinkmaster.conf by default in 
0.8, which you can override with -C <file>). Maybe you edited the one in 
the current directory instead?

If this isn't it, I'd suggest that you run in verbose mode (-v) to have 
Oinkmaster tell you which rules it modifies and see if it mentions SID 
485. Maybe you could also upgrade to Oinkmaster 0.9 which is even more 
noisy/helpful in verbose mode.

/Andreas


-------------------------------------------------------
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: