[Snort-users] Auto rules update

Jason Haar Jason.Haar at ...294...
Tue Jan 23 16:06:28 EST 2001


On Tue, Jan 23, 2001 at 06:14:36PM +0100, Erich Meier wrote:

> egrep -v '^(var (EXTERNAL|INTERNAL)|preprocessor (portscan|minfrag|http_decode)|######### Export date:)' vision.conf | egrep -vf vision.conf.exclude > vision.conf.new
> 

I do the opposite:

grep "^alert " vision.conf|egrep -v "IDSxxx|IDSxxx...."

Then I add all my preprocessor/etc rules at the top, exclude rules I don't
want/etc...

...but you're right. It should then Email the admin who should eyeball it
before going live.


Hey Max - how 'bout PGP signing the files? ;-)

[I see a business forming here... ;-)]

-- 
Cheers

Jason Haar

Unix/Special Projects, Trimble NZ
Phone: +64 3 9635 377 Fax: +64 3 9635 417




More information about the Snort-users mailing list