[Snort-users] Customization of rules

Erek Adams erek at ...577...
Fri Feb 1 10:50:05 EST 2002

On Fri, 1 Feb 2002, Chip Kelly wrote:

> I'm just getting comfortable with the changes that I've made to the rules
> that are supplied with 1.8.3. Most of the changes are localized in
> local.rules, but I have also made changes to the way some of the other rules
> work in order to reduce false positives in my environment. My question - how
> do I preserve the customized rules in files other than local.rules when I
> update my rule sets either from an update to snort or simply an update to my
> rules files? I'm not looking forward to handling each customization
> individually. -chip

Suggestion:  Build a custom.rules file.  Any rule that gets changed, gets
copied to custom.rules with comments on how/why it was changed.  Then in the
original .rules file that the rule came from, you just comment it out.  That
allows you to run a diff against the current rules and the updated rules.  The
rules that you've customized will show up as different, since they are
commented out.  That lets you have one place to modify rules and one place to
keep up with them.

YMMV, but that works for some....  Good luck!

Erek Adams

More information about the Snort-users mailing list