[Snort-users] Oinkmaster overwrites

Nigel Houghton nigel at ...1935...
Wed Jun 7 15:11:05 EDT 2006


On  0, Drew Burchett <DrewB at ...13821...> wrote:
>    If I modify a rule in one of the snort rule files (ie:  add a snortsam
>    configuration  to that rule), when Oinkmaster updates, what does it do
>    with that rule?

You could put your modified rule into your local.rules then make sure
the line "skipfile local.rules" is uncommented in your oinkmaster.conf.

You can then disable the original rule and modify your oinkmaster.conf
so that the rule remains disabled after each update.

An example might look like this:

 modifysid 1325 "^alert" | "#alert"

There are many other more complex ways to achieve the end goal of
keeping your modifications after each rule update. This is just a simple
example. It is possible to modify the rules using oinkmaster during each
update, the oinkmaster.conf file is full of examples.

+--------------------------------------------------------------------+
     Nigel Houghton      Research Engineer       Sourcefire Inc.
                   Vulnerability Research Team

         There is no theory of evolution, just a list
            of creatures Vin Diesel allows to live.




More information about the Snort-users mailing list