Re: Snort-users digest, Vol 1 #1104 - 14 msgs

[Dennis Henderson <hendo () hendohome com>]

Alexander,

I made a custom ruleset called Noise Reduction.  I put all my false 
positive rules in there and changed alert to pass.

I use the "-o" option to reverse the evaluation order that snort uses to 
test traffic.

With -o, "pass" rules are evaluated before "alert and log".

My rules can update all day and life goes on.  It seems to work for me.

Hendo


At 11:33 PM 10/1/01 -0700, you wrote:
> From: <adulau-snort () colorado g-inter net>
> To: snort-users () lists sourceforge net
> Subject: [Snort-users] rules update script and consistency
>
> Hello All,
>
> Here it is my trouble, I want to update automatically my rules set without
> having to change back my false-positive removed rules.
> I have seen this scripts, snort-update. Snort-update is doing only a diff
> of the existing rules and send a mail for doing manually the mv.
>
> I plan to do a script like that :
>
> -> Concentrate all the rules, in one files.
> -> Make modification with using this script (or the script via Webmin).
>
>         The script keep two files : one activated rule list and one
>                                     desactivated rule list.
> -> When i get snort rule from snort.org or from whitewhats, it's generate
> a new activated rule list and remove the entry available in desactivated
> rule list.




> -> So we have new rules but the already desactivated rules...
>
> Is there any script like that for the moment, or i need to do it ?
> (To not do the work 2 times 8-))
>
> Thanks a lot
>
> Alexandre Dulaunoy
> --
> http://www.foo.be/


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users