[Snort-users] snort 2.9.2 disable alerts for so_rules (p2p)

Joel Esler jesler at ...1935...
Fri Feb 3 09:33:14 EST 2012


That's a JJ question.

However, PulledPork is the officially recommended way to manage rules.

http://blog.snort.org/2012/01/importance-of-pulledpork.html

--
Joel Esler
Senior Research Engineer, VRT
OpenSource Community Manager
Sourcefire

On Feb 3, 2012, at 9:30 AM, Lawrence R. Hughes, Sr. wrote:

> Joel,
>  
> We don't want to rely on 3rd party software to disabe a sid, what exactly does pullpork do to disable a sid & gid  in so_rules?
>  
> Thanks,
> Larry
>  
> ----- Original Message -----
> From: Joel Esler
> To: Lawrence R. Hughes, Sr.
> Cc: JJ Cummings ; snort-users at lists.sourceforge.net
> Sent: Friday, February 03, 2012 9:22 AM
> Subject: Re: [Snort-users] snort 2.9.2 disable alerts for so_rules (p2p)
> 
> The correct way of doing it, actually, is to use the disablesid.conf file in pulledpork and disable the sid.  That way the comment will transverse updates.
> 
> J
> 
> On Feb 3, 2012, at 9:19 AM, Lawrence R. Hughes, Sr. wrote:
> 
>> Joel,
>>  
>> That does not work, it did not work in 2.8.6.1 or 2.9.2.0.
>> The only way to disable them is to hash out the snort.conf file for that so_rule and that is not an answer either?
>>  
>> Thanks,
>> Larry
>>  
>> ----- Original Message -----
>> From: Joel Esler
>> To: Lawrence R. Hughes, Sr.
>> Cc: JJ Cummings ; snort-users at lists.sourceforge.net
>> Sent: Thursday, February 02, 2012 8:14 PM
>> Subject: Re: [Snort-users] snort 2.9.2 disable alerts for so_rules (p2p)
>> 
>> If you comment the rule out in the stub file as JJ suggested, it should turn the rule off.  
>> 
>> --
>> Joel Esler
>> 
>> On Feb 2, 2012, at 6:25 PM, "Lawrence R. Hughes, Sr." <lhughes at ...14852.....> wrote:
>> 
>>> no, that does not work, infact this is what the p2p.rules header says:
>>> # Autogenerated skeleton rules file.  Do NOT edit by hand
>>>  
>>>  
>>> ----- Original Message -----
>>> From: JJ Cummings
>>> To: Lawrence R. Hughes, Sr.
>>> Cc: <snort-users at lists.sourceforge.net>
>>> Sent: Thursday, February 02, 2012 6:21 PM
>>> Subject: Re: [Snort-users] snort 2.9.2 disable alerts for so_rules (p2p)
>>> 
>>> #
>>> 
>>> 
>>> Sent from the iRoad
>>> 
>>> On Feb 2, 2012, at 18:05, "Lawrence R. Hughes, Sr." <lhughes at ...14972....> wrote:
>>> 
>>>> Hi,
>>>>  
>>>> I want to disable alerts for sid:7019 gid:3 (under p2p.rules in so_rules) how would I turn off that single rule?
>>>>  
>>>> Thanks,
>>>> Larry
>>>>  
>>>> ------------------------------------------------------------------------------
>>>> Keep Your Developer Skills Current with LearnDevNow!
>>>> The most comprehensive online learning library for Microsoft developers
>>>> is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
>>>> Metro Style Apps, more. Free future releases when you subscribe now!
>>>> http://p.sf.net/sfu/learndevnow-d2d
>>>> _______________________________________________
>>>> Snort-users mailing list
>>>> Snort-users at lists.sourceforge.net
>>>> Go to this URL to change user options or unsubscribe:
>>>> https://lists.sourceforge.net/lists/listinfo/snort-users
>>>> Snort-users list archive:
>>>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>>> 
>>>> Please visit http://blog.snort.org to stay current on all the latest Snort news!
>>> ------------------------------------------------------------------------------
>>> Keep Your Developer Skills Current with LearnDevNow!
>>> The most comprehensive online learning library for Microsoft developers
>>> is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
>>> Metro Style Apps, more. Free future releases when you subscribe now!
>>> http://p.sf.net/sfu/learndevnow-d2d
>>> _______________________________________________
>>> Snort-users mailing list
>>> Snort-users at lists.sourceforge.net
>>> Go to this URL to change user options or unsubscribe:
>>> https://lists.sourceforge.net/lists/listinfo/snort-users
>>> Snort-users list archive:
>>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>> 
>>> Please visit http://blog.snort.org to stay current on all the latest Snort news!
> 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20120203/221fe6cc/attachment.html>


More information about the Snort-users mailing list