[Snort-sigs] Being killed by poor IE rules.

Nigel Houghton nhoughton at ...435...
Wed Jan 27 12:22:51 EST 2010

On Wed, Jan 27, 2010 at 12:06 PM, evilghost at ...3397...
<evilghost at ...3397...> wrote:
> Curious, what's the method to disable a singular GID3 rule without need to do a
> suppression?  Simply comment out the stub in $SO_RULE_PATH for the SID, which is
> GID3, that you want to disable?  I've got a few GID3's that are "map the
> network" in my environment that I'd like to not incur the processing hit.
> I tried commenting out the rule, for example, SID 13947 GID 3, to no avail.  It
> still fires.  Am I missing something?
> -evilghost
> Nigel Houghton wrote:
>> You can of course choose to not load the shared object libraries at
>> all. You can also choose to not load the .rules files, or just like
>> with regular rules, you can disable certain shared object rules by
>> commenting out the stub rule in the .rules files. Up to you which way
>> to go.
> ------------------------------------------------------------------------------
> The Planet: dedicated and managed hosting, cloud storage, colocation
> Stay online with enterprise data centers and the best network in the business
> Choose flexible plans and management services without long-term contracts
> Personal 24x7 support from experience hosting pros just a phone call away.
> http://p.sf.net/sfu/theplanet-com
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs

Yes, that's exactly how to do it. The shared object rules require the
corresponding stub rule to be present in order for the rule to be

Nigel Houghton
Head Mentalist
http://vrt-sourcefire.blogspot.com && http://www.snort.org/vrt/

More information about the Snort-sigs mailing list