andreaso at ...236...
Wed Dec 3 14:29:01 EST 2003
On Wed, 3 Dec 2003, Nicholas Bernstein wrote:
> It seems that oinkmaster.pl decided it's running with the -e option, as
> it is enabling all of the rules that I disable. As you can imagine, this
> makes for a *lot* of that snort it picking up, and generally makes
> maintenance a nightmare.
> I use includes in my snort.cf (i.e. include bad-traffic.rules). I'm
> running it as
> "/usr/local/bin/oinkmaster.pl -q -b /etc/snort.last/ -o /etc/snort/"
> is there something I'm doing wrong?
It depends on what you mean by "rules that I disable".
When running Oinkmaster you must disable rules by adding "disablesid"
statements to oinkmaster.conf, not by editing the rules files
directly (see INSTALL and README for more info).
If you're a new Oinkmaster user you may find contrib/makesidex.pl useful.
It scans your rules files for disabled rules and outputs "disablesid"
statements for those so that you can easily add this to oinkmaster.conf.
If you mean that it worked before but these things just started happening
when switching version or something like that, please send me more
More information about the Snort-users