Snort mailing list archives
Re: Meaning of priority?
From: Erek Adams <erek () theadamsfamily net>
Date: Sat, 6 Jul 2002 12:21:19 -0700 (PDT)
On Fri, 5 Jul 2002 carold () gmx net wrote:
So I read it that it is just for output processing and/or rule reviews.
Yes. It has nothing to do with the way that snort handles the rules. It's only for the 'human' use and convience factor. :)
The trouble with completely customizing the ruleset will become apparent when the admin tries to update/merge his custom set with new rules from an updated default set. Very painful! I did it a few times I have no interest in doing it again.
heh... Been there, done that, still have a sore head from beating it on the desk that night. :)
Ultimately I have settled for adding machine-processed comment tags to the default set but it is clearly a cludge.
Agreed, but if it works and works well for you--You're a winner! :) One of the things that I've started to do is since snort.conf does change frequently, I've build a my.conf file. This works well for a test lab, but not so well in the real world: Strip out all comments, blank lines and includes from snort.conf and place them into my.conf. Then include my.conf right above all of the include statements for the rules. There it will override all the default configs with yours, and with no changes needed. It's quick and dirty, but it works well in a test lab. Then when you update, and diff snort.conf.orig and snort.conf the only difference _should_ be a single line. If not, check the diff, make the new changes needed to my.conf and away you go!
One of possible architectural solutions would be to allow the user to
enable/disable/override rules outside of the ruleset itself. This way the
updated default ruleset will stay more or less customized for each specific
user, regardless of revisions. Example:
custom.conf:
disable: 1123
default ruleset:
alert tcp any any -> any any (whatever..., sid:1123; rev:4;)
(...will stay always disabled even when updated)
That is one way to deal with it. Another might be to use Oinkmaster [0] and have it keep your rules in sync for you. Cheers! ----- Erek Adams Nifty-Type-Guy TheAdamsFamily.Net [0] http://nitzer.dhs.org/oinkmaster/ ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Got root? We do. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Meaning of priority? carold (Jul 05)
- Re: Meaning of priority? Erek Adams (Jul 05)
- Re: Meaning of priority? carold (Jul 05)
- Re: Meaning of priority? Erek Adams (Jul 06)
- Re: Meaning of priority? carold (Jul 07)
- Re: Meaning of priority? carold (Jul 05)
- Re: Meaning of priority? Erek Adams (Jul 05)