Have a look at oinkmaster.conf for this functionality.
cbdugd@dugdale ~
<> grep skip /etc/oinkmaster.conf
# You can then choose to skip individual files by specifying
# the "skipfile" keyword below.
# Files to totally skip (i.e. never update or check for changes) #
# Syntax: skipfile filename #
# or: skipfile filename1, filename2, filename3, ... #
skipfile local.rules
skipfile deleted.rules
# Also skip snort.conf by default since we don't want to overwrite our
own
skipfile snort.conf
skipfile threshold.conf
# If you just want to disable SIDs, please skip this section and have a
#
On Tue, 2004-08-31 at 13:21, Jose Maria Lopez wrote:
El mar, 31 de 08 de 2004 a las 03:00, matt@infotex.com escribió:
[***] Results from Oinkmaster started Mon Aug 30 20:00:01 2004 [***]
[///] Modified active rules: [///]
-> Modified active in bleeding.rules (2):
old: alert ip any any -> any any (msg:"BLEEDING-EDGE Possible CIA
trojan activity"; content:"CIA 1."; content:"pass";
classtype:trojan-activity; sid:2001234; rev:1;)
new: alert ip any any -> any any (msg:"BLEEDING-EDGE Win32/Small.AR
outbound activity"; uricontent:"/zosman/cia/index.php";
classtype:trojan-activity; sid:2001234; rev:2;)
old: alert ip any any -> any any (msg:"BLEEDING-EDGE Possible CIA
Trojan/Backdoor download/upload attempt"; content:"|6C 75 66 6A 65 6F 6F|";
classtype:trojan-activity; sid:2001233; rev:1;)
new: alert ip any any -> any any (msg:"BLEEDING-EDGE Possible
Win32/Small.AR download/upload attempt"; content:"|6C 75 66 6A 65 6F 6F|";
classtype:trojan-activity; sid:2001233; rev:2;)
[+++] Added non-rule lines: [+++]
-> Added to bleeding-sid-msg.map (2):
2001233 || BLEEDING-EDGE Possible Win32/Small.AR download/upload
attempt
2001234 || BLEEDING-EDGE Win32/Small.AR outbound activity
[---] Removed non-rule lines: [---]
-> Removed from bleeding-sid-msg.map (2):
2001233 || BLEEDING-EDGE Possible CIA Trojan/Backdoor
download/upload attempt
2001234 || BLEEDING-EDGE Possible CIA trojan activity
[*] Added files: [*]
None.
I have read this message and I would like to know if oinkmaster
it's really capable of getting the new rules and add them without
touching the rules I have changed. This could be very important
for me, because when I install snort to a client they always want
rules to be updated automatically, but I always need to touch them
to make a good IDS.
So my question is: are you using oinkmaster to do this work? could
it do what I want it to do?
--
Ben Dugdale <ben@apachecounty.net>
Apache County Data Processing
(928) 337-7507
---
[Scanned for viruses]
-------------------------------------------------------
This SF.Net email is sponsored by: thawte's Crypto Challenge Vl
Crack the code and win a Sony DCRHC40 MiniDV Digital Handycam
Camcorder. More prizes in the weekly Lunch Hour Challenge.
Sign up NOW http://ad.doubleclick.net/clk;10740251;10262165;m
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
