kakomon wrote:
Thank you for your answer Paul
however i'm asking if there is an option, an argument, a switch or
something, to make snort skip eventual garbage during startup
There is not.
i've seen snort refusing to start due a 'fwsam' directive in some
bleedingedge rules, like the file 'bleeding-dshield-BLOCK.rules'
or, for example, if it finds two rules with the same SID
i'll like to know if the behaviour could be to simply skip those rules
No, because snort can't make those decisions for you. If you had two
duplicate SIDs, which should be disabled?
this would provide me to auto-download the rules,
maybe with oinkmaster
now it's not possible because if a new rules update could breaks snort,
it will not startup anymore
think about the disaster if snort is inline:
all the traffic would be waiting in queue !
You shouldn't be automating rule updates on an inline setup anyway.
Rules should be applied to a test box, vetted, and then deployed to the
production box when you're certain no disruption will occur.
--
Paul Schmehl (pauls@utdallas.edu)
Adjunct Information Security Officer
The University of Texas at Dallas
http://www.utdallas.edu/ir/security/
smime.p7s
Description: S/MIME Cryptographic Signature
-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys -- and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
