Security Basics: Re: snort updates and changes to snort.conf

[Joe Beasley <securityadmin () joebeasley org>]

You don't have to put your snort.conf file in the same directory your
*.rules files are in.  I keep my snort.conf
in /usr/local/snort-version/etc, and keep all the rules
in /usr/local/snort-version/rules.  

All rule updates will have a new snort.conf (which is overwritten each
time) in the rules directory, but I start snort with the conf file in
the etc directory.  

On Sun, 2008-06-29 at 18:07 -0700, newsecurityguy wrote:
> I know this is not really the place for this question but I have had no luck
> elsewhere. Currently, snort is set to update to the newest rule set on a
> daily basis, which is what I want. However, I also need to suppress some
> SIDS, which I have always done by editing the snort.conf file. When the
> updates occur, it appears as if snort.conf is overwritten with a new
> version, as the changes I make to the file do not last more than 24 hours
> before disappearing out of the snort.conf. Am I correct in assuming this is
> what is occurring? Is there any other way to easily suppress events without
> having to edit the file after each update?