[Snort-users] A question about disable sids with pulledpork

JJ Cummings cummingsj at ...11827...
Mon Nov 14 20:25:19 EST 2011


I am not where I can look, but likely flowbit resolution related..

Sent from the iRoad

On Nov 14, 2011, at 18:51, carlopmart <carlopmart at ...11827...> wrote:

> On 11/15/2011 12:47 AM, Lay, James wrote:
>> 
>> 
>>> -----Original Message-----
>>> From: carlopmart [mailto:carlopmart at ...11827...]
>>> Sent: Monday, November 14, 2011 4:34 PM
>>> To: snort-users at lists.sourceforge.net
>>> Subject: Re: [Snort-users] A question about disable sids with
>> pulledpork
>>> 
>>> On 11/14/2011 07:26 PM, JJ Cummings wrote:
>>>> It is, look into the pcre capability for disablesid.
>>>> 
>>>> Sent from the iRoad
>>>> 
>>> 
>>> Thanks JJC. I can disabled most of all except two rules from
>>> web-misc.rules: sid:18318 and sid:17748. I have tried inserting this
>> in
>>> disable.conf:
>>> 
>>> 3:17748,3:18318
>>> 
>>>   .. and it doesn't works ... then I have tried this:
>>> 
>>> pcre:ssl_version
>>> 
>>>   ... adn it doesn't works
>>> 
>>>   What am I doing worng??
>>> 
>> 
>> Try:
>> 
>> 1:17748,1:18318
>> 
>> James
> 
> Don't work because these rules are classified as a type 3 in 
> classification.config file as a protocol-command-decode ...
> 
> 
> 
> -- 
> CL Martinez
> carlopmart {at} gmail {d0t} com
> 
> ------------------------------------------------------------------------------
> RSA(R) Conference 2012
> Save $700 by Nov 18
> Register now
> http://p.sf.net/sfu/rsa-sfdev2dev1
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 
> Please visit http://blog.snort.org to stay current on all the latest Snort news!




More information about the Snort-users mailing list