Snort mailing list archives
Re: keeping tuned signatures after update of snort.conf
From: Joel Esler <joel.esler () sourcefire com>
Date: Wed, 13 Sep 2006 10:02:54 -0400
No problem On Wed, Sep 13, 2006 at 09:37:22AM -0400, martin apparently sent me:
Joel, thank you very much for your help! -martin On 9/12/06, Joel Esler <joel.esler () sourcefire com> wrote:Base has some dependencies, but there are more pros than cons. Oinkmaster, use 'modifysid' to turn the rule off, look in the documentation or even in the oinkmaster.conf file.I was under the assumption if the rule is edited and ID remains the same it will not be overwritten on next oinkmaster update..Am i mistaken here?If a rule is edited and the ID remains the same, the rule WILL be overwritten (hence why I recommend you edit a COPY of our rule, as opposed to editing our direct rule, because if you modify our rule, then use oinkmaster, all your changes just got zapped). I'd rather edit manually, but I have alot of stuff that does it for me. On Tue, Sep 12, 2006 at 02:50:37PM -0400, martin apparently sent me:Thanks Joel. I tried SC 2 ...as crappy as SC 1 really. Lots of bugs and still does nothing for me. I tried installing base but got a lot of dependency issues and gave up. I will try again. On oinkmaster how would I shut off your rules specifically? I was under the assumption if the rule is edited and ID remains the same it will not be overwritten on next oinkmaster update..Am i mistaken here? I haven't done IDSPM yet because it is Windows based. I wonder why there is no proper linux-based console...But I will provision machine and do it. Would you recommend that over editing manually? thanks Martin On 9/12/06, Joel Esler <joel.esler () sourcefire com> wrote:First off, ditch ACID. :-) Use BASE. base.secureideas.net ACID is dead. There's a couple ideas I can give you, one: IDSPM from http://www.activeworx.org two: http://www.sourcefire.com :) three: Sguil (Bamm, am I right with that?) I think I heard of a SnortCenter2 as well. Try checking for that. Also, if you are editing the Sourcefire signatures, it's recommended that you copy the rule you are editing to local.rules, edit it, and shut off ours using oinkmaster, and in the rules file. Also, ensure that your variables are accurate as well. Joel On Sun, Aug 27, 2006 at 12:13:28PM -0400, martin apparently sent me:I have a Snort-Mysql-Acid-Snortcenter setup. I am using Snortcenter to update my signature files to my 6 sensors. The problem I am having is Snortcenter does not edit the signatures correctly in the DB so my Snortcenter updates overwrite my exisiting changes in the snort.conf files (any tuning or removing of signatures). What alternative is there to snortcenter that I can use to tune signatures from a central location and push out? thanks ------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users+---------------------------------------------------------------------+ joel esler senior security consultant 1-706-627-2101 Sourcefire Security for the /Real/ World -- http://www.sourcefire.com Snort - Open Source Network IPS/IDS -- http://www.snort.org gpg key: http://demo.sourcefire.com/jesler.pgp.key aim:eslerjoel ymsg:eslerjoel gtalk:eslerj +---------------------------------------------------------------------++---------------------------------------------------------------------+ joel esler senior security consultant 1-706-627-2101 Sourcefire Security for the /Real/ World -- http://www.sourcefire.com Snort - Open Source Network IPS/IDS -- http://www.snort.org gpg key: http://demo.sourcefire.com/jesler.pgp.key aim:eslerjoel ymsg:eslerjoel gtalk:eslerj +---------------------------------------------------------------------+
+---------------------------------------------------------------------+ joel esler senior security consultant 1-706-627-2101 Sourcefire Security for the /Real/ World -- http://www.sourcefire.com Snort - Open Source Network IPS/IDS -- http://www.snort.org gpg key: http://demo.sourcefire.com/jesler.pgp.key aim:eslerjoel ymsg:eslerjoel gtalk:eslerj +---------------------------------------------------------------------+ ------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- keeping tuned signatures after update of snort.conf martin (Sep 12)
- Re: keeping tuned signatures after update of snort.conf Joel Esler (Sep 12)
- Re: keeping tuned signatures after update of snort.conf Bamm Visscher (Sep 12)
- Message not available
- Re: keeping tuned signatures after update of snort.conf Joel Esler (Sep 12)
- Message not available
- Re: keeping tuned signatures after update of snort.conf Joel Esler (Sep 13)
- Re: keeping tuned signatures after update of snort.conf Andreas Östling (Sep 18)
- Re: keeping tuned signatures after update of snort.conf Joel Esler (Sep 12)