Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: updating snort rules with oinkmaster

From: Andreas Östling <andreaso () it su se>
Date: Wed, 2 Jun 2004 23:11:09 +0200 (CEST)

Hello,

To answer your question, there is currently no 
I-modified-this-rule-so-never-auto-update-it-again feature.
I tried to explain this in the FAQ 
(Q16/A16 at http://oinkmaster.sourceforge.net/faq.shtml).

My experience is that such a feature can very easily give you lots of 
rules that simply don't get maintained anymore just because you once 
modified some detail in them (which you usually forget or don't care about 
after a while).

When using Oinkmaster you could always put heavily customized rules in 
some local rules file and then disable the original rule. For minor tweaks 
(such as modifying the priority) I prefer to use 'modifysid' to apply the 
modification after each rules update instead. This way, if the 
official/original rule gets updated, you still get the new version of the 
rule while your tweak would still be applied (as long as the regexp still 
matches of course, but you will get a warning if it doesn't). Another 
important point is that this is kind of self-documenting, and the
modifysid stuff will hopefully be much easier in 1.1 as well.

The feature you asked about could probably be implemented but I never 
cared to do it as I wouldn't use it myself. But of course, these are just 
my personal opinions so any suggestions/patches are always appreciated.

/Andreas


On Wed, 2 Jun 2004 Pascal.Dubach () swisscom com wrote:


Hello,

I am trying to update my snort rules, and this works fine. 
But I have changed the priorities of some rules in some rule-files.
If I just update all the snort rules, the customized ones will be
overwritten. 
Is there any possibility not to update these rules? If I just disable
the sid, the rules wouldn't be active anymore, but I want to log the
alerts on
the server, so they have to be active.

thx and Kind Regards,
Pascal



-------------------------------------------------------
This SF.Net email is sponsored by the new InstallShield X.

From Windows to Linux, servers to mobile, InstallShield X is the one

installation-authoring solution that does it all. Learn more and
evaluate today! http://www.installshield.com/Dev2Dev/0504
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: