[Snort-users] Re: Snort-users digest, Vol 1 #1104 - 14 msgs

Dennis Henderson hendo at ...3663...
Tue Oct 2 05:29:03 EDT 2001


I made a custom ruleset called Noise Reduction.  I put all my false 
positive rules in there and changed alert to pass.

I use the "-o" option to reverse the evaluation order that snort uses to 
test traffic.

With -o, "pass" rules are evaluated before "alert and log".

My rules can update all day and life goes on.  It seems to work for me.


At 11:33 PM 10/1/01 -0700, you wrote:
>From: <adulau-snort at ...1558...>
>To: snort-users at lists.sourceforge.net
>Subject: [Snort-users] rules update script and consistency
>Hello All,
>Here it is my trouble, I want to update automatically my rules set without
>having to change back my false-positive removed rules.
>I have seen this scripts, snort-update. Snort-update is doing only a diff
>of the existing rules and send a mail for doing manually the mv.
>I plan to do a script like that :
>-> Concentrate all the rules, in one files.
>-> Make modification with using this script (or the script via Webmin).
>         The script keep two files : one activated rule list and one
>                                     desactivated rule list.
>-> When i get snort rule from snort.org or from whitewhats, it's generate
>a new activated rule list and remove the entry available in desactivated
>rule list.

>-> So we have new rules but the already desactivated rules...
>Is there any script like that for the moment, or i need to do it ?
>(To not do the work 2 times 8-))
>Thanks a lot
>Alexandre Dulaunoy

