Re: Rule update question

[Andreas Östling <andreaso () it su se>]

FYI, in the cvs snapshot 
(http://oinkmaster.sourceforge.net/oinkmaster-snapshot.tar.gz) you can now 
use "localsid <sid>" to make Oinkmaster keep the local copy of specified 
rules. I still think this feature should not be used unless in special cases 
though (more docs about this will be in the 1.1 release).

/Andreas

On Tuesday 15 June 2004 11:37, Andreas Östling wrote:
> On Monday 14 June 2004 20:42, Nick Duda wrote:
> > Silly question, I just drew a blank as I once did this....
> >
> > How can I set oinkmaster when coming to a rule that was modified
> > manually to skip it, but I don't want it disabled. Say I modified the
> > rule from :
> >
> > Example:
> > Alert icmp $EXTERNAL_NET any -> $HOME_NET
> > To
> > Alert icmp $EXTERNAL_NET any -> ![x.x.x.x}
>
> You can't really do that (for the reasons recently discussed here), but you
> could do a modifysid for it:
> modifysid <sid> "-> \$HOME_NET" | "-> ![foo]"
>
> /Andreas



-------------------------------------------------------
This SF.Net email sponsored by Black Hat Briefings & Training.
Attend Black Hat Briefings & Training, Las Vegas July 24-29 -
digital self defense, top technical experts, no vendor pitches,
unmatched networking opportunities. Visit www.blackhat.com
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users