[Snort-users] Meaning of priority?

carold at ...158... carold at ...158...
Sun Jul 7 09:54:05 EDT 2002


> On Fri, 5 Jul 2002 carold at ...158... wrote:
> 
> > So I read it that it is just for output processing and/or rule reviews.
> 
> Yes.  It has nothing to do with the way that snort handles the rules. 
> It's
> only for the 'human' use and convience factor.  :)
> 
> > The trouble with completely customizing the ruleset will become apparent
> > when the admin tries to update/merge his custom set with new rules from
> an
> > updated default set. Very painful! I did it a few times I have no
> interest in
> > doing it again.
> 
> heh...  Been there, done that, still have a sore head from beating it on
> the
> desk that night.  :)
> 
> > Ultimately I have settled for adding machine-processed comment tags to
> the
> > default set but it is clearly a cludge.
> 
> Agreed, but if it works and works well for you--You're a winner! :)
> 
> One of the things that I've started to do is since snort.conf does change
> frequently, I've build a my.conf file.  This works well for a test lab,
> but
> not so well in the real world:  Strip out all comments, blank lines and
> includes from snort.conf and place them into my.conf.  Then include
> my.conf
> right above all of the include statements for the rules.  There it will
> override all the default configs with yours, and with no changes needed. 
> It's
> quick and dirty, but it works well in a test lab.  Then when you update,
> and diff snort.conf.orig and snort.conf the only difference _should_ be a
> single line.  If not, check the diff, make the new changes needed to
> my.conf
> and away you go!
> 
> > One of possible architectural solutions would be to allow the user to
> > enable/disable/override rules outside of the ruleset itself. This way
> the
> > updated default ruleset will stay more or less customized for each
> specific
> > user, regardless of revisions. Example:
> >
> > custom.conf:
> >
> >     disable: 1123
> >
> > default ruleset:
> >
> >     alert tcp any any -> any any (whatever..., sid:1123; rev:4;)
> >     (...will stay always disabled even when updated)
> 
> That is one way to deal with it.  Another might be to use Oinkmaster [0]
> and
> have it keep your rules in sync for you.
> 
> Cheers!
> 
> -----
> Erek Adams
> Nifty-Type-Guy
> TheAdamsFamily.Net
> 
> 
> [0]	http://nitzer.dhs.org/oinkmaster/

This is quite good! One feature that I would add to it is to allow changing
the rule class. I have a number of rules from the default ruleset where I
only changed "alert" to "log" (instead of disabling them altogether) so I can
keep track of certain activities but I do not want to fire an alarm every
single time.

-- 
GMX - Die Kommunikationsplattform im Internet.
http://www.gmx.net





More information about the Snort-users mailing list