Closed GoogleCodeExporter closed 9 years ago
GoogleCodeExporter
commented
9 years ago OK, can that one -- I have (re)discovered the categories :) There had to be a
straight forward way of doing it :)Original comment by russell....@gmail.com on 20 Oct 2010 at 11:13
GoogleCodeExporter
commented
9 years ago Closed per user request.. Original comment by Cummin...@gmail.com on 20 Oct 2010 at 11:20
GoogleCodeExporter
commented
9 years ago I take it back (not enough coffee) -- this still does not allow me to say which
categories I want as opposed to saying what I don't want.
One of the issues I face is that new categories (files) get added and I really
don't want stuff dumped into my sensors with out my oversight.
hmmmm....
I wonder if we had a dropsid.conf like this:
all
+scan
+virus
I'll look at what is involved in doing this
I now have a set up that works (by exclusion) but I would much rather do it the
othre way aroud.
Original comment by russell....@gmail.com on 21 Oct 2010 at 12:52
GoogleCodeExporter
commented
9 years ago We do have that... you can enable / disable / drop based on category....Original comment by Cummin...@gmail.com on 21 Oct 2010 at 12:59
GoogleCodeExporter
commented
9 years ago We do have that... you can enable / disable / drop based on category....Original comment by Cummin...@gmail.com on 21 Oct 2010 at 1:36
GoogleCodeExporter
commented
9 years ago I'm probably thick :) but I don't see how I can duplicate what I did with
oinkmaster which was, in snort.conf simply include the rule files that I wanted.
My immediate reaction to reading the category stuff this morning was yes, this
will allow me to put it in enablesid but:
a/ this enables all the rules in the category -- even those off by default.
b/ there does not seem to be anyway of disabling *everything* by default.
What I want to do is manipulate stuff at the rule file level.
Assuming I have not missed something I am coming back to my original idea of
having an include list as part of the config.
I implemented this and it works fine -- I added new parameter ($include -
analogous to $ignore) to rule_extract and the md5 routine that calls it. In
rule extract added a loop to map the list to a hash and then added a line to
the rule extract loop " next if %include && ! $include{$singlefile}; " IIRC.
converting the list to a hash should be done when setting the global variable
$include... i.e. $include would be a hash ref.
Original comment by russell....@gmail.com on 21 Oct 2010 at 2:11
GoogleCodeExporter
commented
9 years ago I'm probably thick :) but I don't see how I can duplicate what I did with
oinkmaster which was, in snort.conf simply include the rule files that I wanted.
My immediate reaction to reading the category stuff this morning was yes, this
will allow me to put it in enablesid but:
a/ this enables all the rules in the category -- even those off by default.
b/ there does not seem to be anyway of disabling *everything* by default.
What I want to do is manipulate stuff at the rule file level.
Assuming I have not missed something I am coming back to my original idea of
having an include list as part of the config.
I implemented this and it works fine -- I added new parameter ($include -
analogous to $ignore) to rule_extract and the md5 routine that calls it. In
rule extract added a loop to map the list to a hash and then added a line to
the rule extract loop " next if %include && ! $include{$singlefile}; " IIRC.
converting the list to a hash should be done when setting the global variable
$include... i.e. $include would be a hash ref.
Original comment by russell....@gmail.com on 21 Oct 2010 at 2:12
Original issue reported on code.google.com by
russell....@gmail.comon 20 Oct 2010 at 9:01