[Snort-sigs] Being killed by poor IE rules.

evilghost at ...3397... evilghost at ...3397...
Wed Jan 27 12:06:48 EST 2010


Curious, what's the method to disable a singular GID3 rule without need to do a 
suppression?  Simply comment out the stub in $SO_RULE_PATH for the SID, which is 
GID3, that you want to disable?  I've got a few GID3's that are "map the 
network" in my environment that I'd like to not incur the processing hit.

I tried commenting out the rule, for example, SID 13947 GID 3, to no avail.  It 
still fires.  Am I missing something?

-evilghost


Nigel Houghton wrote:
> You can of course choose to not load the shared object libraries at
> all. You can also choose to not load the .rules files, or just like
> with regular rules, you can disable certain shared object rules by
> commenting out the stub rule in the .rules files. Up to you which way
> to go.
>
>   




More information about the Snort-sigs mailing list