Re: Meaning of priority?

[carold () gmx net]

> On Fri, 5 Jul 2002 carold () gmx net wrote:
>
> > So I read it that it is just for output processing and/or rule reviews.
>
> Yes.  It has nothing to do with the way that snort handles the rules. 
> It's
> only for the 'human' use and convience factor.  :)
>
> > The trouble with completely customizing the ruleset will become apparent
> > when the admin tries to update/merge his custom set with new rules from
> an
> > updated default set. Very painful! I did it a few times I have no
> interest in
> > doing it again.
>
> heh...  Been there, done that, still have a sore head from beating it on
> the
> desk that night.  :)
>
> > Ultimately I have settled for adding machine-processed comment tags to
> the
> > default set but it is clearly a cludge.
>
> Agreed, but if it works and works well for you--You're a winner! :)
>
> One of the things that I've started to do is since snort.conf does change
> frequently, I've build a my.conf file.  This works well for a test lab,
> but
> not so well in the real world:  Strip out all comments, blank lines and
> includes from snort.conf and place them into my.conf.  Then include
> my.conf
> right above all of the include statements for the rules.  There it will
> override all the default configs with yours, and with no changes needed. 
> It's
> quick and dirty, but it works well in a test lab.  Then when you update,
> and diff snort.conf.orig and snort.conf the only difference _should_ be a
> single line.  If not, check the diff, make the new changes needed to
> my.conf
> and away you go!
>
> > One of possible architectural solutions would be to allow the user to
> > enable/disable/override rules outside of the ruleset itself. This way
> the
> > updated default ruleset will stay more or less customized for each
> specific
> > user, regardless of revisions. Example:
> >
> > custom.conf:
> >
> >     disable: 1123
> >
> > default ruleset:
> >
> >     alert tcp any any -> any any (whatever..., sid:1123; rev:4;)
> >     (...will stay always disabled even when updated)
>
> That is one way to deal with it.  Another might be to use Oinkmaster [0]
> and
> have it keep your rules in sync for you.
>
> Cheers!
>
> -----
> Erek Adams
> Nifty-Type-Guy
> TheAdamsFamily.Net
>
>
> [0]   http://nitzer.dhs.org/oinkmaster/

This is quite good! One feature that I would add to it is to allow changing
the rule class. I have a number of rules from the default ruleset where I
only changed "alert" to "log" (instead of disabling them altogether) so I can
keep track of certain activities but I do not want to fire an alarm every
single time.

-- 
GMX - Die Kommunikationsplattform im Internet.
http://www.gmx.net



-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
We have stuff for geeks like you.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users