[Snort-users] How to turn off a rule

AllowOverride allowoverride at ...11827...
Thu Oct 11 20:04:17 EDT 2012


i disagree... completely, google yields hundreds of hits, i cant believe
you actually pulled a 2008 joke on me like that,, you are 2000 late
dude.. lolol

On Thu, 2012-10-11 at 21:52 +0000, Jeremy Hoel wrote:
> Because the question you asked is easily answered by doing a google search.
> 
> You asked about how to disable a rule, I answered that, and then
> pointed to conversations about the particular error you are seeing.
> Because it's probably not a rule, but a preprocessor.
> 
> And because google can be your friend if you use it, quick answers to
> common problems..
> 
> 
> On Thu, Oct 11, 2012 at 9:36 PM, AllowOverride <allowoverride at ...11827...> wrote:
> > why are you sending me to google?
> >
> > On Thu, 2012-10-11 at 19:39 +0000, Jeremy Hoel wrote:
> >> You comment our a rule that you don't want, then restart snort for
> >> that change to take effect.
> >>
> >> In the case of SSH protocal mismatches, it's probably not a rule, but
> >> the preprocessor.. in which case;
> >>
> >> http://lmgtfy.com/?q=snort+ssh+Protocol+mismatch
> >>
> >> There's been a lot of talk about various way to disable to alert to
> >> match your needs.
> >>
> >>
> >>
> >> On Thu, Oct 11, 2012 at 7:31 PM, AllowOverride <allowoverride at ...11827...> wrote:
> >> > ok, my understanding is to turn off a rule in snort.rules by simply
> >> > putting a # or commenting it out, in front of the rule.
> >> >
> >> > my question is:
> >> >
> >> >             #22-(2-5946)
> >> > [snort] ssh: Protocol mismatch
> >> >
> >> > turn off this rule.
> >> >
> >> > what do i look for, there are a shyt load of ssh rules.
> >> > maybe look for leading line stating 22?
> >> >
> >> > or grep 5946, in snort.rules, right?
> >> >
> >> > thanks!
> >> >
> >> > ps this is a false positive, as i am 192.168.1.35 connecting to
> >> > 192.168.1.14.. its me.
> >> >
> >> >
> >> > ------------------------------------------------------------------------------
> >> > Don't let slow site performance ruin your business. Deploy New Relic APM
> >> > Deploy New Relic app performance management and know exactly
> >> > what is happening inside your Ruby, Python, PHP, Java, and .NET app
> >> > Try New Relic at no cost today and get our sweet Data Nerd shirt too!
> >> > http://p.sf.net/sfu/newrelic-dev2dev
> >> > _______________________________________________
> >> > Snort-users mailing list
> >> > Snort-users at lists.sourceforge.net
> >> > Go to this URL to change user options or unsubscribe:
> >> > https://lists.sourceforge.net/lists/listinfo/snort-users
> >> > Snort-users list archive:
> >> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> >> >
> >> > Please visit http://blog.snort.org to stay current on all the latest Snort news!
> >





More information about the Snort-users mailing list