[Snort-users] Fine tuning Snort

Jefferson, Shawn Shawn.Jefferson at ...14448...
Fri Oct 8 12:02:33 EDT 2010


PulledPork has this functionality built in.. you can disable rules based on a PCRE.  I don't run McAfee VirusScan for instance, so I can disable all current and all future rules for it.  Also, it's currently being developed, unlike Oinkmaster.


-----Original Message-----
From: Josh Little [mailto:josh at ...14998...] 
Sent: Friday, October 08, 2010 6:09 AM
To: snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] Fine tuning Snort

I have a small tool written in Perl called Pigsty that will automate
finding any sigs in your enabled ruleset that match a pattern. The tool
will output a list of disablesid lines that you can then drop into your
oinkmaster.conf file or have the tool directly append the file. This
makes cleaning up your current rules much easier. You could probably
modify the oinkmaster perl script to run Pigsty just after the latests
sigs are downloaded and before the routine for commenting out disabled
sids completes.

Find it at http://zombietango.com/blog/tools/

ZT





More information about the Snort-users mailing list