[Snort-users] How to turn off a rule

Jeremy Hoel jthoel at ...11827...
Thu Oct 11 15:39:36 EDT 2012


You comment our a rule that you don't want, then restart snort for
that change to take effect.

In the case of SSH protocal mismatches, it's probably not a rule, but
the preprocessor.. in which case;

http://lmgtfy.com/?q=snort+ssh+Protocol+mismatch

There's been a lot of talk about various way to disable to alert to
match your needs.



On Thu, Oct 11, 2012 at 7:31 PM, AllowOverride <allowoverride at ...11827...> wrote:
> ok, my understanding is to turn off a rule in snort.rules by simply
> putting a # or commenting it out, in front of the rule.
>
> my question is:
>
>             #22-(2-5946)
> [snort] ssh: Protocol mismatch
>
> turn off this rule.
>
> what do i look for, there are a shyt load of ssh rules.
> maybe look for leading line stating 22?
>
> or grep 5946, in snort.rules, right?
>
> thanks!
>
> ps this is a false positive, as i am 192.168.1.35 connecting to
> 192.168.1.14.. its me.
>
>
> ------------------------------------------------------------------------------
> Don't let slow site performance ruin your business. Deploy New Relic APM
> Deploy New Relic app performance management and know exactly
> what is happening inside your Ruby, Python, PHP, Java, and .NET app
> Try New Relic at no cost today and get our sweet Data Nerd shirt too!
> http://p.sf.net/sfu/newrelic-dev2dev
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest Snort news!




More information about the Snort-users mailing list