[Snort-users] keeping tuned signatures after update of snort.conf
andreaso at ...236...
Mon Sep 18 07:52:42 EDT 2006
> On oinkmaster how would I shut off your rules specifically?
> I was under the assumption if the rule is edited and ID remains the
> same it will not be overwritten on next oinkmaster update..Am i
> mistaken here?
Like Joel said, it will be overwritten. If the downloaded rule is
different than the local version, the downloaded one is always regarded
as the most recent version. You can however use
'localsid <sid>' in oinkmaster.conf if you want to make local tweaks to
the rule without moving it to a separate file that isn't controlled by
Oinkmaster. I personally don't like localsid that much but it's there.
The Oinkmaster FAQ (Q21) at
http://oinkmaster.sourceforge.net/faq.shtml has more info.
If you just want to turn off the rule completely, simply use 'disablesid
I started creating a web-based interface to editing oinkmaster.conf a
while ago that will make rules management with Oinkmaster easier
(especially if you have a large oinkmaster.conf). I hope it will be
finished any year now.
More information about the Snort-users