[Snort-users] Writing/placing custom rules

mac subbu dnacat25 at ...11827...
Fri Feb 10 23:34:05 EST 2006


Hi Thanks

Does where you place your local.rules  have any impact on other rule files

I would mean what is the precedence/impact of local.rules to other rule
files ..do they override them tec

regards


On 2/9/06, Joel Esler <joel.esler at ...1935...> wrote:
>
> My recommendation is to place your custom rules in the local.rules
> file.  If you are going to use alot of pass rules, I generally
> recommend making a whole different rules file called pass.rules, then
> place your pass rules in that file.  Just make sure you include the
> pass.rules in your snort.conf file.
>
> However, rather than writing alot of pass rules, I generally
> recommend using suppression instead of pass rules.
>
> Check out the Snort User manual for details on suppression.
>
> Joel
>
> On Feb 9, 2006, at 11:06 AM, mac subbu wrote:
>
> > Hi
> >
> > We would like to add custom rules to our snort configuration file
> >
> > 11)which would be the best place to write them
> >
> > a)Write pass alert rules directly in the snort conf file
> >
> > b)In local rules file
> >
> >
> > IF i write them in local rules file what would it impact on other
> > rule files
> >
> > What precautions need to be taken and what are the best practices
> >
> >
> > regards
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20060210/34563276/attachment.html>


More information about the Snort-users mailing list