Snort mailing list archives
Re: Rules
From: Andreas Östling <andreaso () it su se>
Date: Tue, 23 Dec 2003 18:56:57 +0100 (CET)
On Tue, 23 Dec 2003, Matt Kettler wrote:
At 08:34 AM 12/23/2003, Gerson Sampaio wrote:
However, even oinkmaster isn't going to be able to auto-update the rules you've edited to have flexresp's.. those rules you'll have to hand update.. but it can update the other rules in the same file... http://oinkmaster.sourceforge.net/
Actually, you can do it automatically with oinkmaster. Is it recommended? in some places maybe :) If possible, it's probably safer to move such heavily customized rules to a separate file and maintain it manually though. For example, to add "resp:reset;" at the end of SID 301: modifysid 301 "\)$" | "resp:reset;)" Or to add "resp:reset;" to ALL rules (it's an example - don't do it :) modifysid * "\)$" | "resp:reset;)" There are some more examples and usage info in the default oinkmaster.conf. /Andreas ------------------------------------------------------- This SF.net email is sponsored by: IBM Linux Tutorials. Become an expert in LINUX or just sharpen your skills. Sign up for IBM's Free Linux Tutorials. Learn everything from the bash shell to sys admin. Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users