[Snort-users] Writing/placing custom rules
dnacat25 at ...11827...
Fri Feb 10 23:34:05 EST 2006
Does where you place your local.rules have any impact on other rule files
I would mean what is the precedence/impact of local.rules to other rule
files ..do they override them tec
On 2/9/06, Joel Esler <joel.esler at ...1935...> wrote:
> My recommendation is to place your custom rules in the local.rules
> file. If you are going to use alot of pass rules, I generally
> recommend making a whole different rules file called pass.rules, then
> place your pass rules in that file. Just make sure you include the
> pass.rules in your snort.conf file.
> However, rather than writing alot of pass rules, I generally
> recommend using suppression instead of pass rules.
> Check out the Snort User manual for details on suppression.
> On Feb 9, 2006, at 11:06 AM, mac subbu wrote:
> > Hi
> > We would like to add custom rules to our snort configuration file
> > 11)which would be the best place to write them
> > a)Write pass alert rules directly in the snort conf file
> > b)In local rules file
> > IF i write them in local rules file what would it impact on other
> > rule files
> > What precautions need to be taken and what are the best practices
> > regards
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-users