Snort mailing list archives
re: oinkmaster
From: adam_peterson () splwg com
Date: Wed, 3 Dec 2003 14:23:24 -0800
I think you want to check out the 'disablesid' option in your oinkmaster.conf file. That will tell oinkmaster to disable the sids that you want when it updates your rules. By default it will simply download the new rule files and put them where you tell it to. If the new rule files don't exclude the same sids you've excluded, the result is what you're describing. The syntax in oinkmaster.conf is simply: disablesid 123
It seems that oinkmaster.pl decided it's running with the -e option, as it is enabling all of the rules that I disable. As you can imagine, this makes for a *lot* of that snort it picking up, and generally makes maintenance a nightmare.=20 I use includes in my snort.cf (i.e. include bad-traffic.rules). I'm running it as=20 =20 "/usr/local/bin/oinkmaster.pl -q -b /etc/snort.last/ -o
/etc/snort/=
" is there something I'm doing wrong?=20 Thanks! Nick --=20 +---------------------------------------------------------------+ | Nicholas Bernstein | nick () docmagic com | | UNIX Systems Administrator | http://www.docmagic.com | | Document Systems Inc. | | | gpg: F706 8C4E 78FA DDDD 53A0 019F D983 FE28 2002 D1F3 | +---------------------------------------------------------------+
Adam Peterson | Senior WAN Engineer | SPL WorldGroup | adam_peterson () splwg com
Current thread:
- oinkmaster Nicholas Bernstein (Dec 03)
- Re: oinkmaster Andreas Östling (Dec 03)
- <Possible follow-ups>
- re: oinkmaster adam_peterson (Dec 03)