[Snort-sigs] best practice on local signature maintanence

Ian Macdonald secsnortsigs at ...644...
Sat Aug 24 06:11:02 EDT 2002


The way I do it is to keep seperate local file for each zone. When I
modify a existing rule I add an entry to oinkmaster to disable the rule
then copy the rule into my local file for that zone. Oinkmaster is set to
ignore all my local rule files so it doesn't mess with the copy. when I
disable a rule I normally but a comment next to the disable sid command
with the rule msg: entry so I can find the sid easily if I need to go back
and reenable it.

I am thinking about moving to 1 common local file for all sesnors and one
for each zone ie inside, dmz etal.

Ian

On Fri, 23 Aug 2002, DoL wrote:

> Hi All
>
> Just wondering how do some of you (we) add our own local signature (or even rule files / changes made to existing signature) and yet be able to maintain the master from snort.org?  Do you normally keep a separate set of signatures (rule files) for local, and add the corresponding include statement to the snort.conf ?
>
> Thanks
> /dl
>





More information about the Snort-sigs mailing list