[Snort-sigs] best practice on local signature maintanence

Jeff Dell jdell at ...178...
Sat Aug 24 07:19:01 EDT 2002

This was a primary reason for writing IDS Policy Manager. You can do
updates from the "Official" ruleset, or you can do updates from other
policy files. Here is what I personally do:
Have a master signature that I update via the web. This allows me to
test the new changes and make sure the new signatures are ready for
production. I then make any changes that I see fit. Then I merge the
master one into my production sensors signatures and then I upload the
new production signatures to the sensors. It is a little more work, but
it allows me to have full control of any changes and allows me to manage
a lot of sensors without much work.
If you want to checkout IDS Policy Manager, It is a freeware tool for
You can download it at www.activeworx.com/idspm

-----Original Message-----
From: snort-sigs-admin at lists.sourceforge.net
[mailto:snort-sigs-admin at lists.sourceforge.net] On Behalf Of DoL
Sent: Friday, August 23, 2002 3:26 AM
To: snort-sigs at lists.sourceforge.net
Subject: [Snort-sigs] best practice on local signature maintanence

Hi All
Just wondering how do some of you (we) add our own local signature (or
even rule files / changes made to existing signature) and yet be able to
maintain the master from snort.org?  Do you normally keep a separate set
of signatures (rule files) for local, and add the corresponding include
statement to the snort.conf ?

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20020824/8d1a69c1/attachment.html>

More information about the Snort-sigs mailing list