[Snort-sigs] Community Rule Update

Andreas Östling andreaso at ...58...
Mon Apr 4 07:45:31 EDT 2005


On Monday 04 April 2005 15:11, Alex Kirk wrote:
> As to the idea of a VALID_PROXY_SERVERS variable, it makes sense -- *if*
> you've gone through as an admin and defined that variable. The problem
> is, for people who are just letting Oinkmaster grab new rules without
> touching their conf, this rule would break Snort, since they wouldn't
> have that variable defined. That said, though, it's a good way to cut
> down false positives if you take the time to define the variable, so
> I'll add your suggestion to the doc.
>
> Alex Kirk
> Research Analyst/
> Community Rules Maintainer
> Sourcefire, Inc.

That's exactly what the -U flag in Oinkmaster is there for, i.e. merge new 
variables into your local snort.conf so Snort doesn't break when there are 
new variables introduced in the downloaded rules.
I'm not sure anyone is actually using it, but it's there :)

/Andreas




More information about the Snort-sigs mailing list