[Snort-users] RE: Customization of rules

Russell Fulton R.FULTON at ...3809...
Sat Feb 2 15:20:04 EST 2002


> Message: 14
> From: Chip Kelly <Chip.Kelly at ...4824...>
> To: "'snort-users at lists.sourceforge.net'"
> 	 <snort-users at lists.sourceforge.net>
> Date: Fri, 1 Feb 2002 09:36:20 -0500 
> Subject: [Snort-users] Customization of rules
> 
> I'm just getting comfortable with the changes that I've made to the rules that
>  are supplied with 1.8.3. Most of the changes are localized in local.rules, but 
> I have also made changes to the way some of the other rules work in order to 
> reduce false positives in my environment. My question - how do I preserve the 
> customized rules in files other than local.rules when I update my rule sets 
> either from an update to snort or simply an update to my rules files? I'm 
> not looking forward to handling each customization individually. -chip

I have the same problem.  What I have done so far is to write a perl script
which takes a list of SIDs comments the rules out.  I want to extend this to
cover simple modifications, eg added options, changed targets etc but have not
had time to do so.

-- 
Russell Fulton, Computer and Network Security Officer
The University of Auckland,  New Zealand





More information about the Snort-users mailing list