[Snort-users] How to turn off a rule

AllowOverride allowoverride at ...11827...
Thu Oct 11 20:01:42 EDT 2012


i agree, lots of ways, not enough input for new users.
i like a lot of what i have read but there are little things missing,
and those are what make or break a system.

On Thu, 2012-10-11 at 21:11 +0000, Jeremy Hoel wrote:
> From what I've seen that alert specific tends to be from the ssh
> preprocessor and not a rule itself, which is why I linked to some
> articles about that, vs the rule.
> 
> But yes.. lots of ways to do things, but not nearly enough information.
> 
> On Thu, Oct 11, 2012 at 9:09 PM, Michael Steele <michaels at ...9077...> wrote:
> > If he is using PP, then there is a specific process to use. Not sure at this
> > point how he is preforming rule management.
> >
> > Michael...
> >
> > -----Original Message-----
> > From: Jeremy Hoel [mailto:jthoel at ...11827...]
> > Sent: Thursday, October 11, 2012 3:40 PM
> > To: AllowOverride
> > Cc: snort-users
> > Subject: Re: [Snort-users] How to turn off a rule
> >
> > You comment our a rule that you don't want, then restart snort for that
> > change to take effect.
> >
> > In the case of SSH protocal mismatches, it's probably not a rule, but the
> > preprocessor.. in which case;
> >
> > http://lmgtfy.com/?q=snort+ssh+Protocol+mismatch
> >
> > There's been a lot of talk about various way to disable to alert to match
> > your needs.
> >
> >
> >
> > On Thu, Oct 11, 2012 at 7:31 PM, AllowOverride <allowoverride at ...11827...>
> > wrote:
> >> ok, my understanding is to turn off a rule in snort.rules by simply
> >> putting a # or commenting it out, in front of the rule.
> >>
> >> my question is:
> >>
> >>             #22-(2-5946)
> >> [snort] ssh: Protocol mismatch
> >>
> >> turn off this rule.
> >>
> >> what do i look for, there are a shyt load of ssh rules.
> >> maybe look for leading line stating 22?
> >>
> >> or grep 5946, in snort.rules, right?
> >>
> >> thanks!
> >>
> >> ps this is a false positive, as i am 192.168.1.35 connecting to
> >> 192.168.1.14.. its me.
> >>
> >>
> >> ----------------------------------------------------------------------
> >> -------- Don't let slow site performance ruin your business. Deploy
> >> New Relic APM Deploy New Relic app performance management and know
> >> exactly what is happening inside your Ruby, Python, PHP, Java, and
> >> .NET app Try New Relic at no cost today and get our sweet Data Nerd
> >> shirt too!
> >> http://p.sf.net/sfu/newrelic-dev2dev
> >> _______________________________________________
> >> Snort-users mailing list
> >> Snort-users at lists.sourceforge.net
> >> Go to this URL to change user options or unsubscribe:
> >> https://lists.sourceforge.net/lists/listinfo/snort-users
> >> Snort-users list archive:
> >> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> >>
> >> Please visit http://blog.snort.org to stay current on all the latest Snort
> > news!
> >
> > ----------------------------------------------------------------------------
> > --
> > Don't let slow site performance ruin your business. Deploy New Relic APM
> > Deploy New Relic app performance management and know exactly what is
> > happening inside your Ruby, Python, PHP, Java, and .NET app Try New Relic at
> > no cost today and get our sweet Data Nerd shirt too!
> > http://p.sf.net/sfu/newrelic-dev2dev
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> >
> > Please visit http://blog.snort.org to stay current on all the latest Snort
> > news!
> >





More information about the Snort-users mailing list