[Snort-users] Policy-Based monitoring

Jose Maria Lopez jkerouac at ...12346...
Thu Oct 14 15:03:26 EDT 2004

El mié, 13 de 10 de 2004 a las 14:47, Kaplan, Andrew H. escribió:
> Hi there --
> I got Snort to operate successfully and alerts are appearing on the ACID
> console. My next step is to refine the monitoring, and to that end the approach
> that I was planning on taking was using a policy-based.rules file. I will be
> modifying the snort.conf file to include the line: include
> $RULE_PATH/policy-based.rules.
> The questions I have are, does the position of the new line matter? Should I put
> the new line at the beginning of the include statements or after them? Also,
> besides
> adding the line is there anything else that I need to do to Snort, or is simply
> adding the above line sufficient? Thanks.

I don't think it does matter whether you put your new rules,
but be careful not to interfere with other rules or SIDs.

Jose Maria Lopez Hernandez
Director Tecnico de bgSEC
jkerouac at ...12346...
bgSEC Seguridad y Consultoria de Sistemas Informaticos

The only people for me are the mad ones -- the ones who are mad to live,
mad to talk, mad to be saved, desirous of everything at the same time,
the ones who never yawn or say a commonplace thing, but burn, burn, burn
like fabulous yellow Roman candles.
                -- Jack Kerouac, "On the Road"

More information about the Snort-users mailing list