[Snort-users] Rule is already commented

Chris Green cmg at ...671...
Fri Jan 25 07:13:04 EST 2002


"Ronneil Camara" <ronneilc at ...4042...> writes:

> Just would like to know the reason.
>
> I was doing a program which will keep your old rules including the
> commented rules.  It compares it the new rules.  I just actually
> grab another guys copy which is also on this list. But I have almost
> added many conditional statements, and string streamings and
> modification in some lines to make the commenting in the new rule
> almost perfect. I will RELEASE it soon.

This has already been done a good bit.

http://www.algonet.se/~nitzer/oinkmaster/
>
> Here is what I did. As an example, I used web-iis.rules
>
> 1. I commented 8 lines
> 2. Run the script I made
> 3. Upon checking the new generated web-iis.rules, there were at least 13 lines that was commented.
>
> So, I kept finding the problem in my script. Until 4 hours of
> troubleshooting, I opened snortrules.tar.gz which I recently and
> opened web-iis.rules. I found out that there were already commented
> rules there. :-) Even the cvs copy of web-iis.rules was already
> commented.

snortrules.tar.gz is automatically generated from CVS.

>
> What would be the reason why it was commented?

Probably following discussioon on snort-sigs - atleast include the
sids  or the rules that were commented out.
-- 
Chris Green <cmg at ...671...>
Laugh and the world laughs with you, snore and you sleep alone.




More information about the Snort-users mailing list