[Snort-users] oinkmaster - disabling rules without getting new updates

Alex Butcher, ISC/ISYS Alex.Butcher at ...11254...
Tue Sep 20 03:11:13 EDT 2005

--On 19 September 2005 17:12 -0400 "Humes, David G." 
<David.Humes at ...383...> wrote:

> I just setup oinkmaster to update our rules.  Let's say that a rule
> suddenly starts generating thousands of false positive alerts, and we
> want to disable the rule.  Normally I would add a disablesid line to the
> conf file and run oinkmaster.  But, that's going to update my rules with
> the latest rule set, which may or may not be what I want.  If it's late
> on a Friday afternoon, I don't want to introduce new rules that may false
> positive over the weekend.  The oinkmaster documentation is fairly
> insistent about not editing the rules files directly.  But, one approach
> is to edit the appropriate rules file and restart snort, and also edit
> the oinkmaster.conf file to make certain the rule does not get
> re-enabled.  Another possibility is to run oinkmaster using only local
> copies of the rules archives so it doesn't update from the URLs.  But,
> that introduces an extra step of having to manually download the updates.

Why not write a couple of scripts to wrap oinkmaster; one that uses wget to 
grab the updates to local files first before runs oinkmaster, and another 
that uses pre-existing local files?

I've already done the former, and I'm tempted to comment out a couple of 
lines to create the latter to handle the very scenario you've described.

> --Dave

Best Regards,
Alex Butcher: Security & Integrity, Personal Computer Systems Group
Information Systems and Computing             GPG Key ID: F9B27DC9
GPG Fingerprint: D62A DD83 A0B8 D174 49C4 2849 832D 6C72 F9B2 7DC9

More information about the Snort-users mailing list