Snort mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Snort 2.1.0 with snortcenter v1.0

From: Markus.Becker () dbv-winterthur de
Date: Thu, 1 Apr 2004 11:17:23 +0200
Jim Cervantes (jcervant () umbranetworks com) wrote:

Even though Snortcenter complains when importing the affected rules, it 
still imports them into the rule database and will push them out to your 
sensors without the options it doesn't recognize. This is very unfortunate 
because you generally end up with under qualified rules that will fire when



they shouldn't. 

There is perhaps a (UGLY) workaround for this:
For every rule which has this problem, create a local copy. Cut&paste the
omitted part into
one of the varchar-fields (preferrably an already filled content-field).
Make sure you put your 
text AFTER the original content of the field and to prefix your text with a
semicolon or a space.
Since Snortcenter doesn´t care too much about the actual content of any of
the fields, this results 
in the translation of your input into a rule, which snort accepts without
complaining.
Ugly and tedious though. Keep a list of any rules and their local
counterparts for future reference.
Correct the above, if there´s anything wrong.
Greetings
         Markus 

_________________________________________
                     
Markus Becker

DBV Winterthur Versicherungen
OE365 Dezentrale Systeme
Frankfurter Strasse 50
D-65178 Wiesbaden

Tel.:   0611 - 363 6973
Fax:    0611 - 363 5 6973
Email:  Markus.Becker () dbv-winterthur de
_________________________________________




-------------------------------------------------------
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id70&alloc_id638&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: