[Snort-users] oinkmaster.conf enterred disablesid - get enbalbed

Andreas Östling andreaso at ...236...
Tue Dec 16 13:43:01 EST 2003


On Tue, 16 Dec 2003, Snortty wrote:

> I tried to diable some rules by put # in frot of the
> rule (here is in the icmp.rule file), and enter it in
> the oinkmaster.conf at the bottom of the file as: 
> 
> disablesid 485
> 
> Then, I just run it simply:
> 
> oinkmaster-0.8# oinkmaster.pl -o
> /snort/snort-2.0.1/rules/
> 
> to see if the change in rule.icmp will be overwritten.
> 
> 
> It got overwritten after I run it, and output shows: 
...

It sounds like you're doing it right, so the only theory I can come up 
with right now is that you're editing a different oinkmaster.conf than the 
one Oinkmaster is using (/usr/local/etc/oinkmaster.conf by default in 
0.8, which you can override with -C <file>). Maybe you edited the one in 
the current directory instead?

If this isn't it, I'd suggest that you run in verbose mode (-v) to have 
Oinkmaster tell you which rules it modifies and see if it mentions SID 
485. Maybe you could also upgrade to Oinkmaster 0.9 which is even more 
noisy/helpful in verbose mode.

/Andreas




More information about the Snort-users mailing list