[Snort-users] Snort 2.1.0 with snortcenter v1.0

Markus.Becker at ...11568... Markus.Becker at ...11568...
Mon Apr 5 06:51:38 EDT 2004

Jim Cervantes (jcervant at ...9478...) wrote:
>Even though Snortcenter complains when importing the affected rules, it 
>still imports them into the rule database and will push them out to your 
>sensors without the options it doesn't recognize. This is very unfortunate 
>because you generally end up with under qualified rules that will fire when

>they shouldn't. 
There is perhaps a (UGLY) workaround for this:
For every rule which has this problem, create a local copy. Cut&paste the
omitted part into
one of the varchar-fields (preferrably an already filled content-field).
Make sure you put your 
text AFTER the original content of the field and to prefix your text with a
semicolon or a space.
Since Snortcenter doesn´t care too much about the actual content of any of
the fields, this results 
in the translation of your input into a rule, which snort accepts without
Ugly and tedious though. Keep a list of any rules and their local
counterparts for future reference.
Correct the above, if there´s anything wrong.

Markus Becker

DBV Winterthur Versicherungen
OE365 Dezentrale Systeme
Frankfurter Strasse 50
D-65178 Wiesbaden

Tel.: 	0611 - 363 6973
Fax: 	0611 - 363 5 6973
Email:	Markus.Becker at ...11568...

More information about the Snort-users mailing list