[Snort-users] oinkmaster - disabling rules without getting new updates
Alex Butcher, ISC/ISYS
Alex.Butcher at ...11254...
Tue Sep 20 03:11:13 EDT 2005
--On 19 September 2005 17:12 -0400 "Humes, David G."
<David.Humes at ...383...> wrote:
> I just setup oinkmaster to update our rules. Let's say that a rule
> suddenly starts generating thousands of false positive alerts, and we
> want to disable the rule. Normally I would add a disablesid line to the
> conf file and run oinkmaster. But, that's going to update my rules with
> the latest rule set, which may or may not be what I want. If it's late
> on a Friday afternoon, I don't want to introduce new rules that may false
> positive over the weekend. The oinkmaster documentation is fairly
> insistent about not editing the rules files directly. But, one approach
> is to edit the appropriate rules file and restart snort, and also edit
> the oinkmaster.conf file to make certain the rule does not get
> re-enabled. Another possibility is to run oinkmaster using only local
> copies of the rules archives so it doesn't update from the URLs. But,
> that introduces an extra step of having to manually download the updates.
Why not write a couple of scripts to wrap oinkmaster; one that uses wget to
grab the updates to local files first before runs oinkmaster, and another
that uses pre-existing local files?
I've already done the former, and I'm tempted to comment out a couple of
lines to create the latter to handle the very scenario you've described.
Alex Butcher: Security & Integrity, Personal Computer Systems Group
Information Systems and Computing GPG Key ID: F9B27DC9
GPG Fingerprint: D62A DD83 A0B8 D174 49C4 2849 832D 6C72 F9B2 7DC9
More information about the Snort-users