[Snort-users] Rules

Andreas Östling andreaso at ...236...
Tue Dec 23 09:58:01 EST 2003


On Tue, 23 Dec 2003, Matt Kettler wrote:

> At 08:34 AM 12/23/2003, Gerson Sampaio wrote:

> However, even oinkmaster isn't going to be able to auto-update the rules 
> you've edited to have flexresp's.. those rules you'll have to hand update.. 
> but it can update the other rules in the same file...
> 
> http://oinkmaster.sourceforge.net/  

Actually, you can do it automatically with oinkmaster.
Is it recommended? in some places maybe :)
If possible, it's probably safer to move such heavily customized rules to 
a separate file and maintain it manually though.

For example, to add "resp:reset;" at the end of SID 301:
modifysid 301 "\)$" | "resp:reset;)"

Or to add "resp:reset;" to ALL rules (it's an example - don't do it :)
modifysid * "\)$" | "resp:reset;)"

There are some more examples and usage info in the default 
oinkmaster.conf.

/Andreas




More information about the Snort-users mailing list