[Snort-sigs] Being killed by poor IE rules.

JJ Cummings cummingsj at ...2420...
Wed Jan 27 12:36:53 EST 2010


/* begin shameless plug */

That's why you should be using pulledpork and have that gid:sid in the
disablesid.conf

/* end shameless plug */

JJC

On Wed, Jan 27, 2010 at 10:21 AM, evilghost at ...3397... <
evilghost at ...3397...> wrote:

> SIGKILL + restart, Snort 2.8.4, commented out the rule in $SO_RULE_PATH/
>
> Ugh - Just found it, me culpa, when I push VRT I re-generate the stubs
> so it clobbered the comment.  Thanks JJ.
>
> -evilghost
>
> JJ Cummings wrote:
> > you should be able to comment out the stub rule itself, you are saying
> that
> > this did not work?  Of course I have to ask, you did send a HUP to snort,
> or
> > restart altogether, correct?
> >
> > On Wed, Jan 27, 2010 at 10:06 AM, evilghost at ...3397... <
> > evilghost at ...3397...> wrote:
> >
> >
> >> Curious, what's the method to disable a singular GID3 rule without need
> to
> >> do a
> >> suppression?  Simply comment out the stub in $SO_RULE_PATH for the SID,
> >> which is
> >> GID3, that you want to disable?  I've got a few GID3's that are "map the
> >> network" in my environment that I'd like to not incur the processing
> hit.
> >>
> >> I tried commenting out the rule, for example, SID 13947 GID 3, to no
> avail.
> >>  It
> >> still fires.  Am I missing something?
> >>
> >> -evilghost
> >>
> >>
> >> Nigel Houghton wrote:
> >>
> >>> You can of course choose to not load the shared object libraries at
> >>> all. You can also choose to not load the .rules files, or just like
> >>> with regular rules, you can disable certain shared object rules by
> >>> commenting out the stub rule in the .rules files. Up to you which way
> >>> to go.
> >>>
> >>>
> >>>
> >>
> ------------------------------------------------------------------------------
> >> The Planet: dedicated and managed hosting, cloud storage, colocation
> >> Stay online with enterprise data centers and the best network in the
> >> business
> >> Choose flexible plans and management services without long-term
> contracts
> >> Personal 24x7 support from experience hosting pros just a phone call
> away.
> >> http://p.sf.net/sfu/theplanet-com
> >> _______________________________________________
> >> Snort-sigs mailing list
> >> Snort-sigs at lists.sourceforge.net
> >> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> >>
> >>
> >
> >
>
>
> ------------------------------------------------------------------------------
> The Planet: dedicated and managed hosting, cloud storage, colocation
> Stay online with enterprise data centers and the best network in the
> business
> Choose flexible plans and management services without long-term contracts
> Personal 24x7 support from experience hosting pros just a phone call away.
> http://p.sf.net/sfu/theplanet-com
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20100127/f84b38a7/attachment.html>


More information about the Snort-sigs mailing list