andreaso at ...236...
Tue Dec 23 09:58:01 EST 2003
On Tue, 23 Dec 2003, Matt Kettler wrote:
> At 08:34 AM 12/23/2003, Gerson Sampaio wrote:
> However, even oinkmaster isn't going to be able to auto-update the rules
> you've edited to have flexresp's.. those rules you'll have to hand update..
> but it can update the other rules in the same file...
Actually, you can do it automatically with oinkmaster.
Is it recommended? in some places maybe :)
If possible, it's probably safer to move such heavily customized rules to
a separate file and maintain it manually though.
For example, to add "resp:reset;" at the end of SID 301:
modifysid 301 "\)$" | "resp:reset;)"
Or to add "resp:reset;" to ALL rules (it's an example - don't do it :)
modifysid * "\)$" | "resp:reset;)"
There are some more examples and usage info in the default
More information about the Snort-users