[Snort-users] How to turn off a rule

Jeremy Hoel jthoel at ...11827...
Thu Oct 11 17:11:50 EDT 2012


>From what I've seen that alert specific tends to be from the ssh
preprocessor and not a rule itself, which is why I linked to some
articles about that, vs the rule.

But yes.. lots of ways to do things, but not nearly enough information.

On Thu, Oct 11, 2012 at 9:09 PM, Michael Steele <michaels at ...9077...> wrote:
> If he is using PP, then there is a specific process to use. Not sure at this
> point how he is preforming rule management.
>
> Michael...
>
> -----Original Message-----
> From: Jeremy Hoel [mailto:jthoel at ...11827...]
> Sent: Thursday, October 11, 2012 3:40 PM
> To: AllowOverride
> Cc: snort-users
> Subject: Re: [Snort-users] How to turn off a rule
>
> You comment our a rule that you don't want, then restart snort for that
> change to take effect.
>
> In the case of SSH protocal mismatches, it's probably not a rule, but the
> preprocessor.. in which case;
>
> http://lmgtfy.com/?q=snort+ssh+Protocol+mismatch
>
> There's been a lot of talk about various way to disable to alert to match
> your needs.
>
>
>
> On Thu, Oct 11, 2012 at 7:31 PM, AllowOverride <allowoverride at ...11827...>
> wrote:
>> ok, my understanding is to turn off a rule in snort.rules by simply
>> putting a # or commenting it out, in front of the rule.
>>
>> my question is:
>>
>>             #22-(2-5946)
>> [snort] ssh: Protocol mismatch
>>
>> turn off this rule.
>>
>> what do i look for, there are a shyt load of ssh rules.
>> maybe look for leading line stating 22?
>>
>> or grep 5946, in snort.rules, right?
>>
>> thanks!
>>
>> ps this is a false positive, as i am 192.168.1.35 connecting to
>> 192.168.1.14.. its me.
>>
>>
>> ----------------------------------------------------------------------
>> -------- Don't let slow site performance ruin your business. Deploy
>> New Relic APM Deploy New Relic app performance management and know
>> exactly what is happening inside your Ruby, Python, PHP, Java, and
>> .NET app Try New Relic at no cost today and get our sweet Data Nerd
>> shirt too!
>> http://p.sf.net/sfu/newrelic-dev2dev
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>
>> Please visit http://blog.snort.org to stay current on all the latest Snort
> news!
>
> ----------------------------------------------------------------------------
> --
> Don't let slow site performance ruin your business. Deploy New Relic APM
> Deploy New Relic app performance management and know exactly what is
> happening inside your Ruby, Python, PHP, Java, and .NET app Try New Relic at
> no cost today and get our sweet Data Nerd shirt too!
> http://p.sf.net/sfu/newrelic-dev2dev
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest Snort
> news!
>




More information about the Snort-users mailing list