[Snort-sigs] Being killed by poor IE rules.

evilghost at ...3397... evilghost at ...3397...
Wed Jan 27 12:21:32 EST 2010


SIGKILL + restart, Snort 2.8.4, commented out the rule in $SO_RULE_PATH/

Ugh - Just found it, me culpa, when I push VRT I re-generate the stubs 
so it clobbered the comment.  Thanks JJ.

-evilghost

JJ Cummings wrote:
> you should be able to comment out the stub rule itself, you are saying that
> this did not work?  Of course I have to ask, you did send a HUP to snort, or
> restart altogether, correct?
>
> On Wed, Jan 27, 2010 at 10:06 AM, evilghost at ...3397... <
> evilghost at ...3397...> wrote:
>
>   
>> Curious, what's the method to disable a singular GID3 rule without need to
>> do a
>> suppression?  Simply comment out the stub in $SO_RULE_PATH for the SID,
>> which is
>> GID3, that you want to disable?  I've got a few GID3's that are "map the
>> network" in my environment that I'd like to not incur the processing hit.
>>
>> I tried commenting out the rule, for example, SID 13947 GID 3, to no avail.
>>  It
>> still fires.  Am I missing something?
>>
>> -evilghost
>>
>>
>> Nigel Houghton wrote:
>>     
>>> You can of course choose to not load the shared object libraries at
>>> all. You can also choose to not load the .rules files, or just like
>>> with regular rules, you can disable certain shared object rules by
>>> commenting out the stub rule in the .rules files. Up to you which way
>>> to go.
>>>
>>>
>>>       
>> ------------------------------------------------------------------------------
>> The Planet: dedicated and managed hosting, cloud storage, colocation
>> Stay online with enterprise data centers and the best network in the
>> business
>> Choose flexible plans and management services without long-term contracts
>> Personal 24x7 support from experience hosting pros just a phone call away.
>> http://p.sf.net/sfu/theplanet-com
>> _______________________________________________
>> Snort-sigs mailing list
>> Snort-sigs at lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/snort-sigs
>>
>>     
>
>   




More information about the Snort-sigs mailing list