[Snort-users] Disabling rules without touching the originals

Marcus Spading linuxnews at ...4432...
Thu Jan 3 10:20:07 EST 2002


* Brian <bmc at ...950...> [020103 18:35]:
> > Thanks. I will have at look at it. Maybe it does what I want, but
> > commenting out rules I do not want isn't the way I wanted to go. 
> 
> Why?  If you want to disable the signature, then commenting it out
> will speed up snort and it will make sure that other signatures that
> come after the signature you disable will still fire.

Simple. Because if I don't touch the 'official' rule files, updating is a
lot easier. Inserting 20 comment marks in 10 files (and maybe on more than
one host) is not something I'd like doing in files that change that often
like snort's rule files. Having a central local.rules that contains all
changes for a given host seem much more preferable - at least to me, but
maybe I'm thinking in the wrong direction. 

Sure, commenting the rules would speedup thing a little bit. But that not a
major concern at the moment, the 'snorted' network is rather low traffic,
nothing gets dropped at the moment.

-- 
BCNU
Marcus




More information about the Snort-users mailing list