[Snort-users] RE: Customization of rules

Russell Fulton R.FULTON at ...3809...
Sat Feb 2 15:20:04 EST 2002

> Message: 14
> From: Chip Kelly <Chip.Kelly at ...4824...>
> To: "'snort-users at lists.sourceforge.net'"
> 	 <snort-users at lists.sourceforge.net>
> Date: Fri, 1 Feb 2002 09:36:20 -0500 
> Subject: [Snort-users] Customization of rules
> I'm just getting comfortable with the changes that I've made to the rules that
>  are supplied with 1.8.3. Most of the changes are localized in local.rules, but 
> I have also made changes to the way some of the other rules work in order to 
> reduce false positives in my environment. My question - how do I preserve the 
> customized rules in files other than local.rules when I update my rule sets 
> either from an update to snort or simply an update to my rules files? I'm 
> not looking forward to handling each customization individually. -chip

I have the same problem.  What I have done so far is to write a perl script
which takes a list of SIDs comments the rules out.  I want to extend this to
cover simple modifications, eg added options, changed targets etc but have not
had time to do so.

Russell Fulton, Computer and Network Security Officer
The University of Auckland,  New Zealand

More information about the Snort-users mailing list