Snort mailing list archives

RE: welchia rule

From: "Schmehl, Paul L" <pauls () utdallas edu>
Date: Tue, 4 Nov 2003 11:54:20 -0600

-----Original Message-----
From: Leonard Miller [mailto:Leonard.Miller () udlp com] 
Sent: Tuesday, November 04, 2003 11:11 AM
To: snort-users () lists sourceforge net; dortega () uacj mx; 
Schmehl, Paul L
Subject: RE: [Snort-users] welchia rule

Hi,
I just started using snort.  In order to use this rule, do I 
just add that to the virus.rules file and enable the rule in 
snort.conf? If I should start with something a little more 
simple, let me know.


No, you need to create a local rules file.  When you update your rules
from snort, any modifications to the rules will be erased by the
updates.  To avoid this problem, create your own rules file.  Call it
my.rules or custom.rules, or whatever suits your fancy.  Then you put
rules like this into that file, unless they get adopted by the snort
folks and added to the standard ruleset.  (This isn't likely in the case
of virus or worm rules, because those are not being maintained.)

I have two custom sets of rules.  One is named utd.rules and is the
"permanent" custom set.  The second is called special.rules and is where
I put test rules to try them out.

Don't forget to add custom.rules (or whatever you named it) to your
snort.conf file so that snort knows about them when it's started up.
And any time you make changes to rules, you'll need to restart snort for
them to take effect.

Paul Schmehl (pauls () utdallas edu)
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu/~pauls/ 


-------------------------------------------------------
This SF.net email is sponsored by: SF.net Giveback Program.
Does SourceForge.net help you be more productive?  Does it
help you create better code?   SHARE THE LOVE, and help us help
YOU!  Click Here: http://sourceforge.net/donate/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

welchia rule David Omar Ortega Aranda (Nov 04)
- <Possible follow-ups>
- RE: welchia rule Schmehl, Paul L (Nov 04)
- RE: welchia rule Leonard Miller (Nov 04)
- RE: welchia rule Schmehl, Paul L (Nov 04)
- RE: welchia rule Leonard Miller (Nov 04)
- RE: welchia rule John Impallomeni (Nov 04)
- RE: welchia rule Schmehl, Paul L (Nov 04)
  - A tool like swatch Sir Fenix (Nov 06)
    - Re: [Snort-sigs] A tool like swatch Matt Kettler (Nov 05)
    - Re: Re: [Snort-sigs] A tool like swatch Edin Dizdarevic (Nov 05)
    - Re: [Snort-sigs] A tool like swatch Sir Fenix (Nov 06)
    - Re: A tool like swatch Jim Brown (Nov 08)
- RE: welchia rule Schmehl, Paul L (Nov 04)
- RE: welchia rule Mark . Schutzmann (Nov 05)

(Thread continues...)