[Snort-sigs] Being killed by poor IE rules.

JJ Cummings cummingsj at ...2420...
Wed Jan 27 12:17:02 EST 2010


you should be able to comment out the stub rule itself, you are saying that
this did not work?  Of course I have to ask, you did send a HUP to snort, or
restart altogether, correct?

On Wed, Jan 27, 2010 at 10:06 AM, evilghost at ...3397... <
evilghost at ...3397...> wrote:

> Curious, what's the method to disable a singular GID3 rule without need to
> do a
> suppression?  Simply comment out the stub in $SO_RULE_PATH for the SID,
> which is
> GID3, that you want to disable?  I've got a few GID3's that are "map the
> network" in my environment that I'd like to not incur the processing hit.
>
> I tried commenting out the rule, for example, SID 13947 GID 3, to no avail.
>  It
> still fires.  Am I missing something?
>
> -evilghost
>
>
> Nigel Houghton wrote:
> > You can of course choose to not load the shared object libraries at
> > all. You can also choose to not load the .rules files, or just like
> > with regular rules, you can disable certain shared object rules by
> > commenting out the stub rule in the .rules files. Up to you which way
> > to go.
> >
> >
>
>
> ------------------------------------------------------------------------------
> The Planet: dedicated and managed hosting, cloud storage, colocation
> Stay online with enterprise data centers and the best network in the
> business
> Choose flexible plans and management services without long-term contracts
> Personal 24x7 support from experience hosting pros just a phone call away.
> http://p.sf.net/sfu/theplanet-com
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20100127/70a50d21/attachment.html>


More information about the Snort-sigs mailing list