[Snort-users] oinkmaster.conf enterred disablesid - get enbalbed
andreaso at ...236...
Tue Dec 16 13:43:01 EST 2003
On Tue, 16 Dec 2003, Snortty wrote:
> I tried to diable some rules by put # in frot of the
> rule (here is in the icmp.rule file), and enter it in
> the oinkmaster.conf at the bottom of the file as:
> disablesid 485
> Then, I just run it simply:
> oinkmaster-0.8# oinkmaster.pl -o
> to see if the change in rule.icmp will be overwritten.
> It got overwritten after I run it, and output shows:
It sounds like you're doing it right, so the only theory I can come up
with right now is that you're editing a different oinkmaster.conf than the
one Oinkmaster is using (/usr/local/etc/oinkmaster.conf by default in
0.8, which you can override with -C <file>). Maybe you edited the one in
the current directory instead?
If this isn't it, I'd suggest that you run in verbose mode (-v) to have
Oinkmaster tell you which rules it modifies and see if it mentions SID
485. Maybe you could also upgrade to Oinkmaster 0.9 which is even more
noisy/helpful in verbose mode.
More information about the Snort-users