[Snort-users] re: oinkmaster

adam_peterson at ...10608... adam_peterson at ...10608...
Wed Dec 3 14:24:03 EST 2003


I think you want to check out the 'disablesid' option in your 
oinkmaster.conf file.  That will tell oinkmaster to disable the sids that 
you want when it updates your rules.  By default it will simply download 
the new rule files and put them where you tell it to.  If the new rule 
files don't exclude the same  sids you've excluded, the result is what 
you're describing.  The syntax in oinkmaster.conf is simply:

disablesid 123

>It seems that oinkmaster.pl decided it's running with the -e option, as
>it is enabling all of the rules that I disable. As you can imagine, this
>makes for a *lot* of that snort it picking up, and generally makes
>maintenance a nightmare.=20
>
>I use includes in my snort.cf (i.e. include bad-traffic.rules). I'm
>running it as=20
>       =20
>        "/usr/local/bin/oinkmaster.pl -q -b /etc/snort.last/ -o 
/etc/snort/=
>"
>
>is there something I'm doing wrong?=20
>
>Thanks!
>Nick
>--=20
>+---------------------------------------------------------------+
>| Nicholas Bernstein            | nick at ...10668...             |
>| UNIX Systems Administrator    | http://www.docmagic.com       |
>| Document Systems Inc.         |                |
>| gpg: F706 8C4E 78FA DDDD 53A0 019F D983 FE28 2002 D1F3                |
>+---------------------------------------------------------------+

Adam Peterson | Senior WAN Engineer | SPL WorldGroup | 
adam_peterson at ...10608...
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20031203/1acccf67/attachment.html>


More information about the Snort-users mailing list