thresholds.conf overwritten by update?

NST
2009-10-09
2012-12-05
  • Peter Joseph
    Peter Joseph
    2009-10-09

    Hi,
      I've configured the snort updated, but somehow thresholds.conf in the /var/nst/snort/rules directory has been over written and changes I've made to some rules have been reverted. I've only updated snort manually on boxes in the past but would like to use the NST snort updater.

    What am i doing wrong and I how do I put it right?

    Many thanks.

     
  • See NST scripts: `snort_updater_conf` and `snort_updater`
    They allow for PRERELOADSCRIPT and POSTRELOADSCRIPT scripting.

    You could copy your current "thresholds.conf" in the PRERELOADSCRIPT temporarily and reload it after rules have been updated in the POSTRELOADSCRIPT.

    --RWH

     
  • Peter Joseph
    Peter Joseph
    2009-10-09

    Thanks!
    In that case i've simply put my thresholds.conf into /etc/snort_eth1 and added the correct include line to snort.conf

    What about the case where i've disabled certain rules by editing the rules files?

     
  • You are on your own at that point. That why I created the POSTRELOADSCRIPT. If you are familiar with the "sed" utility you would comment out those updated rules with "sed"…

    --RWH

     
  • Peter Joseph
    Peter Joseph
    2009-10-09

    Thanks, so the update stuff is specific to NST, I'd assumed it was the Oinkmaster system or somesuch…

    Thanks for your help.

     
  • Yes Oinkmaster is a separate snort updater app…

    --RWH