[Snort-users] keeping tuned signatures after update of snort.conf

Andreas Östling andreaso at ...236...
Mon Sep 18 07:52:42 EDT 2006


Martin wrote:
> On oinkmaster how would I shut off your rules specifically?
> I was under the assumption if the rule is edited and ID remains the
> same it will not be overwritten on next oinkmaster update..Am i
> mistaken here?

Like Joel said, it will be overwritten. If the downloaded rule is 
different than the local version, the downloaded one is always regarded
as the most recent version. You can however use
'localsid <sid>' in oinkmaster.conf if you want to make local tweaks to 
the rule without moving it to a separate file that isn't controlled by 
Oinkmaster. I personally don't like localsid that much but it's there.
The Oinkmaster FAQ (Q21) at
http://oinkmaster.sourceforge.net/faq.shtml has more info.
If you just want to turn off the rule completely, simply use 'disablesid 
<sid>' instead.

I started creating a web-based interface to editing oinkmaster.conf a 
while ago that will make rules management with Oinkmaster easier 
(especially if you have a large oinkmaster.conf). I hope it will be 
finished any year now.

/Andreas




More information about the Snort-users mailing list