[Snort-users] Policy-Based monitoring

Jose Maria Lopez jkerouac at ...12346...
Thu Oct 14 15:03:26 EDT 2004


El mié, 13 de 10 de 2004 a las 14:47, Kaplan, Andrew H. escribió:
> Hi there --
> 
> I got Snort to operate successfully and alerts are appearing on the ACID
> console. My next step is to refine the monitoring, and to that end the approach
> that I was planning on taking was using a policy-based.rules file. I will be
> modifying the snort.conf file to include the line: include
> $RULE_PATH/policy-based.rules.
> 
> The questions I have are, does the position of the new line matter? Should I put
> the new line at the beginning of the include statements or after them? Also,
> besides
> adding the line is there anything else that I need to do to Snort, or is simply
> adding the above line sufficient? Thanks.

I don't think it does matter whether you put your new rules,
but be careful not to interfere with other rules or SIDs.

-- 
Jose Maria Lopez Hernandez
Director Tecnico de bgSEC
jkerouac at ...12346...
bgSEC Seguridad y Consultoria de Sistemas Informaticos
http://www.bgsec.com
ESPAÑA

The only people for me are the mad ones -- the ones who are mad to live,
mad to talk, mad to be saved, desirous of everything at the same time,
the ones who never yawn or say a commonplace thing, but burn, burn, burn
like fabulous yellow Roman candles.
                -- Jack Kerouac, "On the Road"





More information about the Snort-users mailing list