I've configured the snort updated, but somehow thresholds.conf in the /var/nst/snort/rules directory has been over written and changes I've made to some rules have been reverted. I've only updated snort manually on boxes in the past but would like to use the NST snort updater.
What am i doing wrong and I how do I put it right?
Ronald W. Henderson
See NST scripts: `snort_updater_conf` and `snort_updater`
They allow for PRERELOADSCRIPT and POSTRELOADSCRIPT scripting.
You could copy your current "thresholds.conf" in the PRERELOADSCRIPT temporarily and reload it after rules have been updated in the POSTRELOADSCRIPT.
In that case i've simply put my thresholds.conf into /etc/snort_eth1 and added the correct include line to snort.conf
What about the case where i've disabled certain rules by editing the rules files?
You are on your own at that point. That why I created the POSTRELOADSCRIPT. If you are familiar with the "sed" utility you would comment out those updated rules with "sed"…
Thanks, so the update stuff is specific to NST, I'd assumed it was the Oinkmaster system or somesuch…
Thanks for your help.
Yes Oinkmaster is a separate snort updater app…