[Snort-devel] Before you cast your 2.0 in stone ...

Phil Wood cpw at ...86...
Sat Nov 9 16:26:01 EST 2002


I've been trying to keep up.  Ran into conf file problem.  So, here is
a suggestion.

All rules files should end in .rules

The rule file names that come with your distribution are fine.

I've come up with additional names that provide for large site sensor
distribution.

I use local.rules for the rules relevent to the IDS host which may be
running multiple sensors.

I use the new name "site.rules" which cover site wide rules.

I use <instance>.rules for a particular snort process.  <instance> corresponds
to the little tidbit I put in the /var/log/*run file name.

Just a very small morsal for thought.

Thanks,

Phil





More information about the Snort-devel mailing list