[Snort-users] welchia rule

Schmehl, Paul L pauls at ...6838...
Tue Nov 4 09:55:12 EST 2003


> -----Original Message-----
> From: Leonard Miller [mailto:Leonard.Miller at ...7710...] 
> Sent: Tuesday, November 04, 2003 11:11 AM
> To: snort-users at lists.sourceforge.net; dortega at ...10460...; 
> Schmehl, Paul L
> Subject: RE: [Snort-users] welchia rule
> 
> 
> Hi,
> I just started using snort.  In order to use this rule, do I 
> just add that to the virus.rules file and enable the rule in 
> snort.conf? If I should start with something a little more 
> simple, let me know.

No, you need to create a local rules file.  When you update your rules
from snort, any modifications to the rules will be erased by the
updates.  To avoid this problem, create your own rules file.  Call it
my.rules or custom.rules, or whatever suits your fancy.  Then you put
rules like this into that file, unless they get adopted by the snort
folks and added to the standard ruleset.  (This isn't likely in the case
of virus or worm rules, because those are not being maintained.)

I have two custom sets of rules.  One is named utd.rules and is the
"permanent" custom set.  The second is called special.rules and is where
I put test rules to try them out.

Don't forget to add custom.rules (or whatever you named it) to your
snort.conf file so that snort knows about them when it's started up.
And any time you make changes to rules, you'll need to restart snort for
them to take effect.

Paul Schmehl (pauls at ...6838...)
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu/~pauls/ 




More information about the Snort-users mailing list