snort updates and changes to snort.conf

I know this is not really the place for this question but I have had no luck elsewhere. Currently, snort is set to update to the newest rule set on a daily basis, which is what I want. However, I also need to suppress some SIDS, which I have always done by editing the snort.conf file. When the updates occur, it appears as if snort.conf is overwritten with a new version, as the changes I make to the file do not last more than 24 hours before disappearing out of the snort.conf. Am I correct in assuming this is what is occurring? Is there any other way to easily suppress events without having to edit the file after each update?

The tool you are looking for is called Oinkmaster
(http://oinkmaster.sourceforge.net/)

Best regards
Michael Boman

On Mon, Jun 30, 2008 at 3:07 AM, newsecurityguy <JBASKEW@...> wrote:


--
http://michaelboman.org - Security Blog & Wiki
Custom Laptop Skins @
http://michaelboman.org/wiki/index.php?title=Custom_Laptop_Skins
Join the Singapore Security Meetup Group @ http://security.meetup.com/77/

You need to check out Oinkmaster (oinkmaster.sourceforge.net).  It's a Perl
script to automate the process of downloading new rule updates, making all
your local changes (turning off or modifying rules) and merging them in
with what you already have.  I think this will solve your problem nicely.

        David

newsecurityguy wrote:
> I know this is not really the place for this question but I have had no luck
> elsewhere. Currently, snort is set to update to the newest rule set on a
> daily basis, which is what I want. However, I also need to suppress some
> SIDS, which I have always done by editing the snort.conf file. When the
> updates occur, it appears as if snort.conf is overwritten with a new
> version, as the changes I make to the file do not last more than 24 hours
> before disappearing out of the snort.conf. Am I correct in assuming this is
> what is occurring? Is there any other way to easily suppress events without
> having to edit the file after each update?

You don't have to put your snort.conf file in the same directory your
*.rules files are in.  I keep my snort.conf
in /usr/local/snort-version/etc, and keep all the rules
in /usr/local/snort-version/rules.  

All rule updates will have a new snort.conf (which is overwritten each
time) in the rules directory, but I start snort with the conf file in
the etc directory.  

On Sun, 2008-06-29 at 18:07 -0700, newsecurityguy wrote:
> I know this is not really the place for this question but I have had no luck
> elsewhere. Currently, snort is set to update to the newest rule set on a
> daily basis, which is what I want. However, I also need to suppress some
> SIDS, which I have always done by editing the snort.conf file. When the
> updates occur, it appears as if snort.conf is overwritten with a new
> version, as the changes I make to the file do not last more than 24 hours
> before disappearing out of the snort.conf. Am I correct in assuming this is
> what is occurring? Is there any other way to easily suppress events without
> having to edit the file after each update?

------Original Message------
From: Joe Beasley
Sender: listbounce@...
To: newsecurityguy
Cc: security-basics@...
Sent: Jul 1, 2008 8:21 PM
Subject: Re: snort  updates and changes to snort.conf

You don't have to put your snort.conf file in the same directory your
*.rules files are in.  I keep my snort.conf
in /usr/local/snort-version/etc, and keep all the rules
in /usr/local/snort-version/rules.  

All rule updates will have a new snort.conf (which is overwritten each
time) in the rules directory, but I start snort with the conf file in
the etc directory.  

On Sun, 2008-06-29 at 18:07 -0700, newsecurityguy wrote:
> I know this is not really the place for this question but I have had no luck
> elsewhere. Currently, snort is set to update to the newest rule set on a
> daily basis, which is what I want. However, I also need to suppress some
> SIDS, which I have always done by editing the snort.conf file. When the
> updates occur, it appears as if snort.conf is overwritten with a new
> version, as the changes I make to the file do not last more than 24 hours
> before disappearing out of the snort.conf. Am I correct in assuming this is
> what is occurring? Is there any other way to easily suppress events without
> having to edit the file after each update?



Sent from my Verizon Wireless BlackBerry

Maybe I am not understanding the syntax correctly. I stopped snort, copied my current snort.conf file into the /usr/local/snort/etc directory I created. There I edited the snort.conf file to suppress the events and then attempted to restart snort using the command

/usr/sbin/snort -d -D -Q -u snort -g snort -c /usr/local/snort/etc/snort.conf -l /var/log/snort -o -m 022

Snort outputs Initializing Inline mode and then quits with no indication of errors. Running the original command used to start snort
/usr/sbin/snort -d -D -Q -u snort -g snort -c /etc/snort/snort.conf -l /var/log/snort -o -m 022
initializes snort and it outputs loaded rules, counts, etc. What am I missing here? I checked the snort.conf file again to make sure the absolute path was used to the rules folder but am not sure what else to look for.

Thanks,
Blake




------Original Message------
From: Joe Beasley
Sender: listbounce@securityfocus.com
To: newsecurityguy
Cc: security-basics@securityfocus.com
Sent: Jul 1, 2008 8:21 PM
Subject: Re: snort  updates and changes to snort.conf

You don't have to put your snort.conf file in the same directory your
*.rules files are in.  I keep my snort.conf
in /usr/local/snort-version/etc, and keep all the rules
in /usr/local/snort-version/rules.  

All rule updates will have a new snort.conf (which is overwritten each
time) in the rules directory, but I start snort with the conf file in
the etc directory.