Re: Disabling rules without touching the originals

[Marcus Spading <linuxnews () fragmentum net>]

* Brian <bmc () snort org> [020103 18:35]:
> > Thanks. I will have at look at it. Maybe it does what I want, but
> > commenting out rules I do not want isn't the way I wanted to go. 
>
> Why?  If you want to disable the signature, then commenting it out
> will speed up snort and it will make sure that other signatures that
> come after the signature you disable will still fire.

Simple. Because if I don't touch the 'official' rule files, updating is a
lot easier. Inserting 20 comment marks in 10 files (and maybe on more than
one host) is not something I'd like doing in files that change that often
like snort's rule files. Having a central local.rules that contains all
changes for a given host seem much more preferable - at least to me, but
maybe I'm thinking in the wrong direction. 

Sure, commenting the rules would speedup thing a little bit. But that not a
major concern at the moment, the 'snorted' network is rather low traffic,
nothing gets dropped at the moment.

-- 
BCNU
Marcus

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users