Posted by stangrunner on Mar 02, 2016; 6:02pm
URL: https://itus.accessinnov.com/Rules-tuning-categories-tp222p254.html

Just discovered that this script: /etc/snort/rules/exclude_rules.sh parses the exclude.rules contents against the currently loaded snort.rules file and removes entries.  

#!/bin/bash

EXCLUDE_RULES=/etc/snort/rules/exclude.rules
SNORT_RULES=/etc/snort/rules/snort.rules

# Remove all blank lines
sed -i '/^$/d' $EXCLUDE_RULES

# Remove all non-numeric entries
sed -i '/[^0-9]/d' $EXCLUDE_RULES

while read -r line || [[ -n "$line" ]]; do
        sed -i '/sid:'$line'/d' $SNORT_RULES
done < $EXCLUDE_RULES