Snort mailing list archives

re: oinkmaster

From: adam_peterson () splwg com
Date: Wed, 3 Dec 2003 14:23:24 -0800

I think you want to check out the 'disablesid' option in your 
oinkmaster.conf file.  That will tell oinkmaster to disable the sids that 
you want when it updates your rules.  By default it will simply download 
the new rule files and put them where you tell it to.  If the new rule 
files don't exclude the same  sids you've excluded, the result is what 
you're describing.  The syntax in oinkmaster.conf is simply:

disablesid 123

It seems that oinkmaster.pl decided it's running with the -e option, as
it is enabling all of the rules that I disable. As you can imagine, this
makes for a *lot* of that snort it picking up, and generally makes
maintenance a nightmare.=20

I use includes in my snort.cf (i.e. include bad-traffic.rules). I'm
running it as=20
      =20
       "/usr/local/bin/oinkmaster.pl -q -b /etc/snort.last/ -o

/etc/snort/=

"

is there something I'm doing wrong?=20

Thanks!
Nick
--=20
+---------------------------------------------------------------+
| Nicholas Bernstein            | nick () docmagic com             |
| UNIX Systems Administrator    | http://www.docmagic.com       |
| Document Systems Inc.         |                |
| gpg: F706 8C4E 78FA DDDD 53A0 019F D983 FE28 2002 D1F3                |
+---------------------------------------------------------------+


Adam Peterson | Senior WAN Engineer | SPL WorldGroup | 
adam_peterson () splwg com

Current thread:

oinkmaster Nicholas Bernstein (Dec 03)
- Re: oinkmaster Andreas Östling (Dec 03)
- <Possible follow-ups>
- re: oinkmaster adam_peterson (Dec 03)