[Snort-users] Disabling rules without touching the originals

Marcus Spading linuxnews at ...4432...
Wed Jan 2 01:31:06 EST 2002


Hello snorters,

I've spending hours trying to figure out how to disable single rules from
the standard distribution by *only* changing snort.conf or rules.local. I
do not want to touch any given standard rule, so updating the rulesets will
be much easier.

My last attempt was the following (in rules.local)

ruletype donotshow {
	type alert
	output log_null
}
donotshow tcp $HOME_NET any -> $PROXY_SERVERS $PROXY_PORTS (msg:"Disabled Proxy Scan Attempt";flags:S;)

I wanted to create a rule that is applied earlier, than the standard rule,
but it didnt work. I also played with the sid in the rule and I tried to
change the include order in snort.conf.. nothing.

Is commenting out a rule or changing the vars in a rule so it doesnt match
anymore really the only way to archive this? How do you guys update and
organize your rulesets then?

BTW: I'm using Snort 1.8.3, logging to a mysql db, but I dont think that
matters here.

Since this is my first posting to this list please have patience. I hope I
didnt overlook something obvious.

-- 
BCNU
Marcus




More information about the Snort-users mailing list