[Snort-sigs] Being killed by poor IE rules.

Nigel Houghton nhoughton at ...435...
Wed Jan 27 12:22:51 EST 2010


On Wed, Jan 27, 2010 at 12:06 PM, evilghost at ...3397...
<evilghost at ...3397...> wrote:
> Curious, what's the method to disable a singular GID3 rule without need to do a
> suppression?  Simply comment out the stub in $SO_RULE_PATH for the SID, which is
> GID3, that you want to disable?  I've got a few GID3's that are "map the
> network" in my environment that I'd like to not incur the processing hit.
>
> I tried commenting out the rule, for example, SID 13947 GID 3, to no avail.  It
> still fires.  Am I missing something?
>
> -evilghost
>
>
> Nigel Houghton wrote:
>> You can of course choose to not load the shared object libraries at
>> all. You can also choose to not load the .rules files, or just like
>> with regular rules, you can disable certain shared object rules by
>> commenting out the stub rule in the .rules files. Up to you which way
>> to go.
>>
>>
>
> ------------------------------------------------------------------------------
> The Planet: dedicated and managed hosting, cloud storage, colocation
> Stay online with enterprise data centers and the best network in the business
> Choose flexible plans and management services without long-term contracts
> Personal 24x7 support from experience hosting pros just a phone call away.
> http://p.sf.net/sfu/theplanet-com
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
>


Yes, that's exactly how to do it. The shared object rules require the
corresponding stub rule to be present in order for the rule to be
active.

-- 
Nigel Houghton
Head Mentalist
SF VRT
http://vrt-sourcefire.blogspot.com && http://www.snort.org/vrt/




More information about the Snort-sigs mailing list