[Snort-users] Meaning of priority?

Erek Adams erek at ...577...
Sat Jul 6 12:22:02 EDT 2002

On Fri, 5 Jul 2002 carold at ...158... wrote:

> So I read it that it is just for output processing and/or rule reviews.

Yes.  It has nothing to do with the way that snort handles the rules.  It's
only for the 'human' use and convience factor.  :)

> The trouble with completely customizing the ruleset will become apparent
> when the admin tries to update/merge his custom set with new rules from an
> updated default set. Very painful! I did it a few times I have no interest in
> doing it again.

heh...  Been there, done that, still have a sore head from beating it on the
desk that night.  :)

> Ultimately I have settled for adding machine-processed comment tags to the
> default set but it is clearly a cludge.

Agreed, but if it works and works well for you--You're a winner! :)

One of the things that I've started to do is since snort.conf does change
frequently, I've build a my.conf file.  This works well for a test lab, but
not so well in the real world:  Strip out all comments, blank lines and
includes from snort.conf and place them into my.conf.  Then include my.conf
right above all of the include statements for the rules.  There it will
override all the default configs with yours, and with no changes needed.  It's
quick and dirty, but it works well in a test lab.  Then when you update,
and diff snort.conf.orig and snort.conf the only difference _should_ be a
single line.  If not, check the diff, make the new changes needed to my.conf
and away you go!

> One of possible architectural solutions would be to allow the user to
> enable/disable/override rules outside of the ruleset itself. This way the
> updated default ruleset will stay more or less customized for each specific
> user, regardless of revisions. Example:
> custom.conf:
>     disable: 1123
> default ruleset:
>     alert tcp any any -> any any (whatever..., sid:1123; rev:4;)
>     (...will stay always disabled even when updated)

That is one way to deal with it.  Another might be to use Oinkmaster [0] and
have it keep your rules in sync for you.


Erek Adams

[0]	http://nitzer.dhs.org/oinkmaster/

More information about the Snort-users mailing list