Re: Writing/placing custom rules

[Joel Esler <joel.esler () sourcefire com>]

My recommendation is to place your custom rules in the local.rules  
file.  If you are going to use alot of pass rules, I generally  
recommend making a whole different rules file called pass.rules, then  
place your pass rules in that file.  Just make sure you include the  
pass.rules in your snort.conf file.

However, rather than writing alot of pass rules, I generally  
recommend using suppression instead of pass rules.

Check out the Snort User manual for details on suppression.

Joel

On Feb 9, 2006, at 11:06 AM, mac subbu wrote:

> Hi
>
> We would like to add custom rules to our snort configuration file
>
> 11)which would be the best place to write them
>
> a)Write pass alert rules directly in the snort conf file
>
> b)In local rules file
>
>
> IF i write them in local rules file what would it impact on other  
> rule files
>
> What precautions need to be taken and what are the best practices
>
>
> regards



-------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems?  Stop!  Download the new AJAX search engine that makes
searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users