[Snort-users] A question about disable sids with pulledpork

carlopmart carlopmart at ...11827...
Mon Nov 14 18:51:51 EST 2011


On 11/15/2011 12:47 AM, Lay, James wrote:
>
>
>> -----Original Message-----
>> From: carlopmart [mailto:carlopmart at ...11827...]
>> Sent: Monday, November 14, 2011 4:34 PM
>> To: snort-users at lists.sourceforge.net
>> Subject: Re: [Snort-users] A question about disable sids with
> pulledpork
>>
>> On 11/14/2011 07:26 PM, JJ Cummings wrote:
>>> It is, look into the pcre capability for disablesid.
>>>
>>> Sent from the iRoad
>>>
>>
>> Thanks JJC. I can disabled most of all except two rules from
>> web-misc.rules: sid:18318 and sid:17748. I have tried inserting this
> in
>> disable.conf:
>>
>> 3:17748,3:18318
>>
>>    .. and it doesn't works ... then I have tried this:
>>
>> pcre:ssl_version
>>
>>    ... adn it doesn't works
>>
>>    What am I doing worng??
>>
>
> Try:
>
> 1:17748,1:18318
>
> James

Don't work because these rules are classified as a type 3 in 
classification.config file as a protocol-command-decode ...



-- 
CL Martinez
carlopmart {at} gmail {d0t} com




More information about the Snort-users mailing list