Yes, that could work and we are using suppression for some rules. But,
if it's really firing hard and it's clearly a false positive, it would
be better not to waste cpu power on the rule.
-----Original Message-----
From: Joel Esler [mailto:joel.esler@sourcefire.com]
Sent: Monday, September 19, 2005 5:17 PM
To: Humes, David G.
Cc: snort-users@lists.sourceforge.net;
oinkmaster-users@lists.sourceforge.net
Subject: Re: [Snort-users] oinkmaster - disabling rules without
getting new updates
My suggestion would be to look into suppression. That way
you're not turning off a rule completely, and you're able to
specifically tune the suppression towards your environment.
Joel Esler
SOURCEfire
On Sep 19, 2005, at 5:12 PM, Humes, David G. wrote:
I just setup oinkmaster to update our rules. Let's say
that a rule suddenly starts generating thousands of false positive
alerts, and we want to disable the rule. Normally I would add a
disablesid line to the conf file and run oinkmaster. But, that's going
to update my rules with the latest rule set, which may or may not be
what I want. If it's late on a Friday afternoon, I don't want to
introduce new rules that may false positive over the weekend. The
oinkmaster documentation is fairly insistent about not editing the rules
files directly. But, one approach is to edit the appropriate rules file
and restart snort, and also edit the oinkmaster.conf file to make
certain the rule does not get re-enabled. Another possibility is to run
oinkmaster using only local copies of the rules archives so it doesn't
update from the URLs. But, that introduces an extra step of having to
manually download the updates. Yet another approach would be to run
oinkmaster interactively, and just reject all the changes with the
exception of the one I added. Ideally, I think that there should be an
oinkmaster option for this to minimize extra steps and to keep people
from editing the rules files directly. Thoughts?
Thanks.
--Dave
