[Snort-users] Re: Snort-users digest, Vol 1 #1104 - 14 msgs
hendo at ...3663...
Tue Oct 2 05:29:03 EDT 2001
I made a custom ruleset called Noise Reduction. I put all my false
positive rules in there and changed alert to pass.
I use the "-o" option to reverse the evaluation order that snort uses to
With -o, "pass" rules are evaluated before "alert and log".
My rules can update all day and life goes on. It seems to work for me.
At 11:33 PM 10/1/01 -0700, you wrote:
>From: <adulau-snort at ...1558...>
>To: snort-users at lists.sourceforge.net
>Subject: [Snort-users] rules update script and consistency
>Here it is my trouble, I want to update automatically my rules set without
>having to change back my false-positive removed rules.
>I have seen this scripts, snort-update. Snort-update is doing only a diff
>of the existing rules and send a mail for doing manually the mv.
>I plan to do a script like that :
>-> Concentrate all the rules, in one files.
>-> Make modification with using this script (or the script via Webmin).
> The script keep two files : one activated rule list and one
> desactivated rule list.
>-> When i get snort rule from snort.org or from whitewhats, it's generate
>a new activated rule list and remove the entry available in desactivated
>-> So we have new rules but the already desactivated rules...
>Is there any script like that for the moment, or i need to do it ?
>(To not do the work 2 times 8-))
>Thanks a lot
More information about the Snort-users