Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: New rules keyword error

From: Andreas Östling <andreaso () it su se>
Date: Thu, 23 Oct 2003 21:02:23 +0200 (CEST)

On Thu, 23 Oct 2003, John Creegan wrote:


In that script, one could use an instance of snort, even if there's
only one box doing IDS, to test the new ruleset (pointing to an
alternate ruleset).  Snort puts out plenty to know if it didn't start
because of a malformed rule or if there were daemon errors starting up
or whatever.  If no errors, fold in the new rules and restart the
production snort(s).  If errors, either go into babysitting mode or wait
for another day.


I think the sollution is extremely simple:

1. Update the rules in whatever way you prefer
2. Run snort -T on the new rules (probably by simply adding -T to your
   regular snort start command line)
3. If the test is successful, go ahead and restart snort. If the test
   fails, yell for help and let the current snort process keep running

It's usually just a matter of adding one or two lines to your snort init
script...

/Andreas


-------------------------------------------------------
This SF.net email is sponsored by: The SF.net Donation Program.
Do you like what SourceForge.net is doing for the Open
Source Community?  Make a contribution, and help us add new
features and functionality. Click here: http://sourceforge.net/donate/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: