This is somewhat of a simple question more out of curiosity than anything. In tuning some snort sensors I got thinking. I was wondering how others handle rule modifications based on their organizational structure. Obviously the default rules that come from snort.org need some type of tweaking based on what environment they are deployed in. I am curious how those rules are handled. Do you disable the sid and then copy that rule to the local file? Or do you modify it and come up with your own scripting to handle the rule?
Hopefully this is somewhat clear. Thanks for any response John ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. ------------------------------------------------------------------------
