Re: snort.conf - Problem with RULE_PATH & inclide

[waldo kitty <wkitty42 () windstream net>]

On 07/25/2015 06:40 AM, James Lay wrote:
> On Sat, 2015-07-25 at 08:55 +0100, Charlie wrote:
> > var RULE_PATH ../rules
>
> Use an absolute path:
> var RULE_PATH /opt/etc/snort/rules
> var SO_RULE_PATH /opt/etc/snort/rules
> var PREPROC_RULE_PATH /opt/etc/snort/rules
> var WHITE_LIST_PATH /opt/etc/snort/rules
> var BLACK_LIST_PATH /opt/etc/snort/rules

*AND* in the case of black and white lists, ensure that you do not get the 
reputation processor's black list confused with the snort rules black list... 
one contains actual snort rules... the other contains only IP numbers... they 
are not the same thing... the difference between one file name have an 
underscore '_' in it and the other not is too close for folks to try to keep 
straight... even after years of working with snort and these files, we still 
find mistakes of confusion in this case...

personally speaking, i/we try to ensure that the reputation processor's white 
and black list files do /not/ have a ".rules" extension... they are not "rules" 
files... they are IP list files... so we use black_ips.list and 
white_ips.list... since we did this, we do not have any mistakes of confusion 
and more... it is very easy to see what is what and what each is used for ;)

-- 
  NOTE: No off-list assistance is given without prior approval.
        *Please keep mailing list traffic on the list* unless
        private contact is specifically requested and granted.

------------------------------------------------------------------------------
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!