[Snort-users] oinkmaster - disabling rules without getting new updates

Joel Esler joel.esler at ...1935...
Mon Sep 19 14:18:15 EDT 2005


My suggestion would be to look into suppression.  That way you're not  
turning off a rule completely, and you're able to specifically tune  
the suppression towards your environment.

Joel Esler
SOURCEfire


On Sep 19, 2005, at 5:12 PM, Humes, David G. wrote:

> I just setup oinkmaster to update our rules.  Let's say that a rule  
> suddenly starts generating thousands of false positive alerts, and  
> we want to disable the rule.  Normally I would add a disablesid  
> line to the conf file and run oinkmaster.  But, that's going to  
> update my rules with the latest rule set, which may or may not be  
> what I want.  If it's late on a Friday afternoon, I don't want to  
> introduce new rules that may false positive over the weekend.  The  
> oinkmaster documentation is fairly insistent about not editing the  
> rules files directly.  But, one approach is to edit the appropriate  
> rules file and restart snort, and also edit the oinkmaster.conf  
> file to make certain the rule does not get re-enabled.  Another  
> possibility is to run oinkmaster using only local copies of the  
> rules archives so it doesn't update from the URLs.  But, that  
> introduces an extra step of having to manually download the  
> updates.  Yet another approach would be to run oinkmaster  
> interactively, and just reject all the changes with the exception  
> of the one I added.  Ideally, I think that there should be an  
> oinkmaster option for this to minimize extra steps and to keep  
> people from editing the rules files directly.  Thoughts?
>
> Thanks.
>
> --Dave
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20050919/81bb6dd0/attachment.html>


More information about the Snort-users mailing list