[Snort-users] How to turn off a rule

AllowOverride allowoverride at ...11827...
Thu Oct 11 20:00:43 EDT 2012


using pp, but not since a few days ago. not my issue. pp works fine.


On Thu, 2012-10-11 at 17:09 -0400, Michael Steele wrote:
> If he is using PP, then there is a specific process to use. Not sure at this
> point how he is preforming rule management.
> 
> Michael...
> 
> -----Original Message-----
> From: Jeremy Hoel [mailto:jthoel at ...11827...] 
> Sent: Thursday, October 11, 2012 3:40 PM
> To: AllowOverride
> Cc: snort-users
> Subject: Re: [Snort-users] How to turn off a rule
> 
> You comment our a rule that you don't want, then restart snort for that
> change to take effect.
> 
> In the case of SSH protocal mismatches, it's probably not a rule, but the
> preprocessor.. in which case;
> 
> http://lmgtfy.com/?q=snort+ssh+Protocol+mismatch
> 
> There's been a lot of talk about various way to disable to alert to match
> your needs.
> 
> 
> 
> On Thu, Oct 11, 2012 at 7:31 PM, AllowOverride <allowoverride at ...11827...>
> wrote:
> > ok, my understanding is to turn off a rule in snort.rules by simply 
> > putting a # or commenting it out, in front of the rule.
> >
> > my question is:
> >
> >             #22-(2-5946)
> > [snort] ssh: Protocol mismatch
> >
> > turn off this rule.
> >
> > what do i look for, there are a shyt load of ssh rules.
> > maybe look for leading line stating 22?
> >
> > or grep 5946, in snort.rules, right?
> >
> > thanks!
> >
> > ps this is a false positive, as i am 192.168.1.35 connecting to 
> > 192.168.1.14.. its me.
> >
> >
> > ----------------------------------------------------------------------
> > -------- Don't let slow site performance ruin your business. Deploy 
> > New Relic APM Deploy New Relic app performance management and know 
> > exactly what is happening inside your Ruby, Python, PHP, Java, and 
> > .NET app Try New Relic at no cost today and get our sweet Data Nerd 
> > shirt too!
> > http://p.sf.net/sfu/newrelic-dev2dev
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> >
> > Please visit http://blog.snort.org to stay current on all the latest Snort
> news!
> 
> ----------------------------------------------------------------------------
> --
> Don't let slow site performance ruin your business. Deploy New Relic APM
> Deploy New Relic app performance management and know exactly what is
> happening inside your Ruby, Python, PHP, Java, and .NET app Try New Relic at
> no cost today and get our sweet Data Nerd shirt too!
> http://p.sf.net/sfu/newrelic-dev2dev
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 
> Please visit http://blog.snort.org to stay current on all the latest Snort
> news!
> 





More information about the Snort-users mailing list