[Snort-users] AW: (Snort-users) Disabling rules without touching the origi

sandro.poppi at ...3316... sandro.poppi at ...3316...
Wed Jan 2 01:43:03 EST 2002


Marcus,

did you already try using pass rules? This helped me (and of course a lot of
others too ;). Adding the command line option -o is then required. For your
example it will show up as

pass tcp $HOME_NET any -> $PROXY_SERVERS $PROXY_PORTS

For more information take a look on the excellent snort manual.

HTH,
Sandro

> Hello snorters,
>
> I've spending hours trying to figure out how to disable
> single rules from
> the standard distribution by *only* changing snort.conf or
> rules.local. I
> do not want to touch any given standard rule, so updating the
> rulesets will
> be much easier.
>
> My last attempt was the following (in rules.local)
>
> ruletype donotshow {
>         type alert
>         output log_null
> }
> donotshow tcp $HOME_NET any -> $PROXY_SERVERS $PROXY_PORTS
> (msg:"Disabled Proxy Scan Attempt";flags:S;)
>
> I wanted to create a rule that is applied earlier, than the
> standard rule,
> but it didnt work. I also played with the sid in the rule and
> I tried to
> change the include order in snort.conf.. nothing.
>
> Is commenting out a rule or changing the vars in a rule so it
> doesnt match
> anymore really the only way to archive this? How do you guys
> update and
> organize your rulesets then?
>
> BTW: I'm using Snort 1.8.3, logging to a mysql db, but I dont
> think that
> matters here.
>
> Since this is my first posting to this list please have
> patience. I hope I
> didnt overlook something obvious.
>
> --
> BCNU
> Marcus
>
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
>





More information about the Snort-users mailing list