Snort mailing list archives
Re: Writing/placing custom rules
From: Joel Esler <joel.esler () sourcefire com>
Date: Thu, 9 Feb 2006 11:10:49 -0500
My recommendation is to place your custom rules in the local.rules file. If you are going to use alot of pass rules, I generally recommend making a whole different rules file called pass.rules, then place your pass rules in that file. Just make sure you include the pass.rules in your snort.conf file.
However, rather than writing alot of pass rules, I generally recommend using suppression instead of pass rules.
Check out the Snort User manual for details on suppression. Joel On Feb 9, 2006, at 11:06 AM, mac subbu wrote:
Hi We would like to add custom rules to our snort configuration file 11)which would be the best place to write them a)Write pass alert rules directly in the snort conf file b)In local rules fileIF i write them in local rules file what would it impact on other rule filesWhat precautions need to be taken and what are the best practices regards
------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Writing/placing custom rules mac subbu (Feb 09)
- Re: Writing/placing custom rules Joel Esler (Feb 09)
- Re: Writing/placing custom rules mac subbu (Feb 10)
- Re: Writing/placing custom rules Joel Esler (Feb 09)