Snort mailing list archives
Re: Writing/placing custom rules
From: mac subbu <dnacat25 () gmail com>
Date: Sat, 11 Feb 2006 13:03:35 +0530
Hi Thanks Does where you place your local.rules have any impact on other rule files I would mean what is the precedence/impact of local.rules to other rule files ..do they override them tec regards On 2/9/06, Joel Esler <joel.esler () sourcefire com> wrote:
My recommendation is to place your custom rules in the local.rules file. If you are going to use alot of pass rules, I generally recommend making a whole different rules file called pass.rules, then place your pass rules in that file. Just make sure you include the pass.rules in your snort.conf file. However, rather than writing alot of pass rules, I generally recommend using suppression instead of pass rules. Check out the Snort User manual for details on suppression. Joel On Feb 9, 2006, at 11:06 AM, mac subbu wrote:Hi We would like to add custom rules to our snort configuration file 11)which would be the best place to write them a)Write pass alert rules directly in the snort conf file b)In local rules file IF i write them in local rules file what would it impact on other rule files What precautions need to be taken and what are the best practices regards
Current thread:
- Writing/placing custom rules mac subbu (Feb 09)
- Re: Writing/placing custom rules Joel Esler (Feb 09)
- Re: Writing/placing custom rules mac subbu (Feb 10)
- Re: Writing/placing custom rules Joel Esler (Feb 09)