[Snort-users] keeping tuned signatures after update of snort.conf

Joel Esler joel.esler at ...1935...
Tue Sep 12 14:44:48 EDT 2006

First off, ditch ACID. :-)  Use BASE.  base.secureideas.net  ACID is dead.                                                 
There's a couple ideas I can give you, one:  IDSPM from http://www.activeworx.org                                          
two:  http://www.sourcefire.com :)                                                                                         
three: Sguil (Bamm, am I right with that?)                                                                                 
I think I heard of a SnortCenter2 as well.  Try checking for that.                                                         
Also, if you are editing the Sourcefire signatures, it's recommended that you copy the rule you are editing to local.rules, edit it, and shut off ours using oinkmaster, and in the rules file.

Also, ensure that your variables are accurate as well.


On Sun, Aug 27, 2006 at 12:13:28PM -0400, martin apparently sent me:
> I have a Snort-Mysql-Acid-Snortcenter setup.
> I am using Snortcenter to update my signature files to my 6 sensors.
> The problem I am having is Snortcenter does not edit the signatures
> correctly in the DB so my Snortcenter updates overwrite my exisiting
> changes in the snort.conf files (any tuning or removing of
> signatures).
> What alternative is there to snortcenter that I can use to tune
> signatures from a central location and push out?
> thanks
> -------------------------------------------------------------------------
> Using Tomcat but need to do more? Need to support web services, security?
> Get stuff done quickly with pre-integrated technology to make your job easier
> Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
> http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
joel esler          senior security consultant         1-706-627-2101
Sourcefire    Security for the /Real/ World -- http://www.sourcefire.com
       Snort - Open Source Network IPS/IDS -- http://www.snort.org
         gpg key: http://demo.sourcefire.com/jesler.pgp.key
           aim:eslerjoel  ymsg:eslerjoel gtalk:eslerj

More information about the Snort-users mailing list