[Snort-users] keeping tuned signatures after update of snort.conf

Joel Esler joel.esler at ...1935...
Wed Sep 13 10:02:54 EDT 2006


No problem


On Wed, Sep 13, 2006 at 09:37:22AM -0400, martin apparently sent me:
> Joel,
> thank you very much for your help!
> -martin
> 
> On 9/12/06, Joel Esler <joel.esler at ...1935...> wrote:
> >Base has some dependencies, but there are more pros than cons.
> >
> >Oinkmaster, use 'modifysid' to turn the rule off, look in the documentation or even in the oinkmaster.conf file.
> >
> >> I was under the assumption if the rule is edited and ID remains the
> >> same it will not be overwritten on next oinkmaster update..Am i
> >> mistaken here?
> >
> >If a rule is edited and the ID remains the same, the rule WILL be overwritten (hence why I recommend you edit a COPY of our 
> >rule, as opposed to editing our direct rule, because if you modify our rule, then use oinkmaster, all your changes just got 
> >zapped).
> >
> >I'd rather edit manually, but I have alot of stuff that does it for me.
> >
> >
> >On Tue, Sep 12, 2006 at 02:50:37PM -0400, martin apparently sent me:
> >> Thanks Joel.
> >> I tried SC 2 ...as crappy as SC 1 really. Lots of bugs and still does
> >> nothing for me.
> >> I tried installing base but got a lot of dependency issues and gave
> >> up. I will try again.
> >> On oinkmaster how would I shut off your rules specifically?
> >> I was under the assumption if the rule is edited and ID remains the
> >> same it will not be overwritten on next oinkmaster update..Am i
> >> mistaken here?
> >> I haven't done IDSPM yet because it is Windows based. I wonder why
> >> there is no proper linux-based console...But I will provision machine
> >> and do it. Would you recommend that over editing manually?
> >> thanks
> >> Martin
> >>
> >> On 9/12/06, Joel Esler <joel.esler at ...1935...> wrote:
> >> >First off, ditch ACID. :-)  Use BASE.  base.secureideas.net  ACID is dead.
> >> >
> >> >There's a couple ideas I can give you, one:  IDSPM from http://www.activeworx.org
> >> >two:  http://www.sourcefire.com :)
> >> >three: Sguil (Bamm, am I right with that?)
> >> >
> >> >I think I heard of a SnortCenter2 as well.  Try checking for that.
> >> >
> >> >Also, if you are editing the Sourcefire signatures, it's recommended that you copy the rule you are editing to
> >> >local.rules, edit it, and shut off ours using oinkmaster, and in the rules file.
> >> >
> >> >Also, ensure that your variables are accurate as well.
> >> >
> >> >Joel
> >> >
> >> >
> >> >On Sun, Aug 27, 2006 at 12:13:28PM -0400, martin apparently sent me:
> >> >> I have a Snort-Mysql-Acid-Snortcenter setup.
> >> >> I am using Snortcenter to update my signature files to my 6 sensors.
> >> >> The problem I am having is Snortcenter does not edit the signatures
> >> >> correctly in the DB so my Snortcenter updates overwrite my exisiting
> >> >> changes in the snort.conf files (any tuning or removing of
> >> >> signatures).
> >> >> What alternative is there to snortcenter that I can use to tune
> >> >> signatures from a central location and push out?
> >> >> thanks
> >> >>
> >> >> -------------------------------------------------------------------------
> >> >> Using Tomcat but need to do more? Need to support web services, security?
> >> >> Get stuff done quickly with pre-integrated technology to make your job easier
> >> >> Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
> >> >> http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
> >> >> _______________________________________________
> >> >> Snort-users mailing list
> >> >> Snort-users at lists.sourceforge.net
> >> >> Go to this URL to change user options or unsubscribe:
> >> >> https://lists.sourceforge.net/lists/listinfo/snort-users
> >> >> Snort-users list archive:
> >> >> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> >> >>
> >> >+---------------------------------------------------------------------+
> >> >joel esler          senior security consultant         1-706-627-2101
> >> >Sourcefire    Security for the /Real/ World -- http://www.sourcefire.com
> >> >       Snort - Open Source Network IPS/IDS -- http://www.snort.org
> >> >         gpg key: http://demo.sourcefire.com/jesler.pgp.key
> >> >           aim:eslerjoel  ymsg:eslerjoel gtalk:eslerj
> >> >+---------------------------------------------------------------------+
> >> >
> >>
> >+---------------------------------------------------------------------+
> >joel esler          senior security consultant         1-706-627-2101
> >Sourcefire    Security for the /Real/ World -- http://www.sourcefire.com
> >       Snort - Open Source Network IPS/IDS -- http://www.snort.org
> >         gpg key: http://demo.sourcefire.com/jesler.pgp.key
> >           aim:eslerjoel  ymsg:eslerjoel gtalk:eslerj
> >+---------------------------------------------------------------------+
> >
> 
+---------------------------------------------------------------------+
joel esler          senior security consultant         1-706-627-2101
Sourcefire    Security for the /Real/ World -- http://www.sourcefire.com
       Snort - Open Source Network IPS/IDS -- http://www.snort.org
         gpg key: http://demo.sourcefire.com/jesler.pgp.key
           aim:eslerjoel  ymsg:eslerjoel gtalk:eslerj
+---------------------------------------------------------------------+




More information about the Snort-users mailing list