Disabling rules without touching the originals

[Marcus Spading <linuxnews () fragmentum net>]

Hello snorters,

I've spending hours trying to figure out how to disable single rules from
the standard distribution by *only* changing snort.conf or rules.local. I
do not want to touch any given standard rule, so updating the rulesets will
be much easier.

My last attempt was the following (in rules.local)

ruletype donotshow {
        type alert
        output log_null
}
donotshow tcp $HOME_NET any -> $PROXY_SERVERS $PROXY_PORTS (msg:"Disabled Proxy Scan Attempt";flags:S;)

I wanted to create a rule that is applied earlier, than the standard rule,
but it didnt work. I also played with the sid in the rule and I tried to
change the include order in snort.conf.. nothing.

Is commenting out a rule or changing the vars in a rule so it doesnt match
anymore really the only way to archive this? How do you guys update and
organize your rulesets then?

BTW: I'm using Snort 1.8.3, logging to a mysql db, but I dont think that
matters here.

Since this is my first posting to this list please have patience. I hope I
didnt overlook something obvious.

-- 
BCNU
Marcus

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users