[Snort-users] Meaning of priority?
carold at ...158...
carold at ...158...
Sun Jul 7 09:54:05 EDT 2002
> On Fri, 5 Jul 2002 carold at ...158... wrote:
> > So I read it that it is just for output processing and/or rule reviews.
> Yes. It has nothing to do with the way that snort handles the rules.
> only for the 'human' use and convience factor. :)
> > The trouble with completely customizing the ruleset will become apparent
> > when the admin tries to update/merge his custom set with new rules from
> > updated default set. Very painful! I did it a few times I have no
> interest in
> > doing it again.
> heh... Been there, done that, still have a sore head from beating it on
> desk that night. :)
> > Ultimately I have settled for adding machine-processed comment tags to
> > default set but it is clearly a cludge.
> Agreed, but if it works and works well for you--You're a winner! :)
> One of the things that I've started to do is since snort.conf does change
> frequently, I've build a my.conf file. This works well for a test lab,
> not so well in the real world: Strip out all comments, blank lines and
> includes from snort.conf and place them into my.conf. Then include
> right above all of the include statements for the rules. There it will
> override all the default configs with yours, and with no changes needed.
> quick and dirty, but it works well in a test lab. Then when you update,
> and diff snort.conf.orig and snort.conf the only difference _should_ be a
> single line. If not, check the diff, make the new changes needed to
> and away you go!
> > One of possible architectural solutions would be to allow the user to
> > enable/disable/override rules outside of the ruleset itself. This way
> > updated default ruleset will stay more or less customized for each
> > user, regardless of revisions. Example:
> > custom.conf:
> > disable: 1123
> > default ruleset:
> > alert tcp any any -> any any (whatever..., sid:1123; rev:4;)
> > (...will stay always disabled even when updated)
> That is one way to deal with it. Another might be to use Oinkmaster 
> have it keep your rules in sync for you.
> Erek Adams
>  http://nitzer.dhs.org/oinkmaster/
This is quite good! One feature that I would add to it is to allow changing
the rule class. I have a number of rules from the default ruleset where I
only changed "alert" to "log" (instead of disabling them altogether) so I can
keep track of certain activities but I do not want to fire an alarm every
GMX - Die Kommunikationsplattform im Internet.
More information about the Snort-users