[Snort-sigs] How can i effect new Local Rules in Snort

wkitty42 at windstream.net wkitty42 at windstream.net
Thu Mar 29 10:59:28 EDT 2018


On 03/29/2018 10:03 AM, Samuel Lungu wrote:
> 
> I have installed a new snort server according to this guide 
> https://www.snort.org/documents/snort-2-9-9-x-on-ubuntu-14-16.
> 
> My challenge is whenever i make changes to the local.rules file, the news rules 
> are not taking effect. The system is only loading the first original rule which 
> i had configured for testing. This has happened no matter how often i restart 
> the snort and barnyard2 service,


what does snort's logs say when you restart it? look specifically for things 
like "rule is same as another. using old rule" and similar... this could 
indicate that you have not assigned a unique sid to the rule... you should 
always have a sid and a rev in your rules... when you change a rule's detection 
properties, you should increment the rev, too...

if it is not a sid and rev problem, please post your rules so we can see them 
and not have to continue to make WAGs ;)


-- 
  NOTE: No off-list assistance is given without prior approval.
        *Please keep mailing list traffic on the list unless*
        *a signed and pre-paid contract is in effect with us.*


More information about the Snort-sigs mailing list