Re: keeping tuned signatures after update of snort.conf

[Andreas Östling <andreaso () it su se>]

Martin wrote:
> On oinkmaster how would I shut off your rules specifically?
> I was under the assumption if the rule is edited and ID remains the
> same it will not be overwritten on next oinkmaster update..Am i
> mistaken here?

Like Joel said, it will be overwritten. If the downloaded rule is 
different than the local version, the downloaded one is always regarded
as the most recent version. You can however use
'localsid <sid>' in oinkmaster.conf if you want to make local tweaks to 
the rule without moving it to a separate file that isn't controlled by 
Oinkmaster. I personally don't like localsid that much but it's there.
The Oinkmaster FAQ (Q21) at
http://oinkmaster.sourceforge.net/faq.shtml has more info.
If you just want to turn off the rule completely, simply use 'disablesid 
<sid>' instead.

I started creating a web-based interface to editing oinkmaster.conf a 
while ago that will make rules management with Oinkmaster easier 
(especially if you have a large oinkmaster.conf). I hope it will be 
finished any year now.

/Andreas

-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users