[Snort-users] How to turn off a rule

Michael Steele michaels at ...9077...
Thu Oct 11 20:22:26 EDT 2012


As long as you understand how PP works, and the proper way to edit the
rules.

Michael...

-----Original Message-----
From: AllowOverride [mailto:allowoverride at ...11827...] 
Sent: Thursday, October 11, 2012 8:01 PM
To: Michael Steele
Cc: 'snort-users'
Subject: Re: [Snort-users] How to turn off a rule

using pp, but not since a few days ago. not my issue. pp works fine.


On Thu, 2012-10-11 at 17:09 -0400, Michael Steele wrote:
> If he is using PP, then there is a specific process to use. Not sure 
> at this point how he is preforming rule management.
> 
> Michael...
> 
> -----Original Message-----
> From: Jeremy Hoel [mailto:jthoel at ...11827...]
> Sent: Thursday, October 11, 2012 3:40 PM
> To: AllowOverride
> Cc: snort-users
> Subject: Re: [Snort-users] How to turn off a rule
> 
> You comment our a rule that you don't want, then restart snort for 
> that change to take effect.
> 
> In the case of SSH protocal mismatches, it's probably not a rule, but 
> the preprocessor.. in which case;
> 
> http://lmgtfy.com/?q=snort+ssh+Protocol+mismatch
> 
> There's been a lot of talk about various way to disable to alert to 
> match your needs.
> 
> 
> 
> On Thu, Oct 11, 2012 at 7:31 PM, AllowOverride 
> <allowoverride at ...11827...>
> wrote:
> > ok, my understanding is to turn off a rule in snort.rules by simply 
> > putting a # or commenting it out, in front of the rule.
> >
> > my question is:
> >
> >             #22-(2-5946)
> > [snort] ssh: Protocol mismatch
> >
> > turn off this rule.
> >
> > what do i look for, there are a shyt load of ssh rules.
> > maybe look for leading line stating 22?
> >
> > or grep 5946, in snort.rules, right?
> >
> > thanks!
> >
> > ps this is a false positive, as i am 192.168.1.35 connecting to 
> > 192.168.1.14.. its me.
> >
> >
> > --------------------------------------------------------------------
> > --
> > -------- Don't let slow site performance ruin your business. Deploy 
> > New Relic APM Deploy New Relic app performance management and know 
> > exactly what is happening inside your Ruby, Python, PHP, Java, and 
> > .NET app Try New Relic at no cost today and get our sweet Data Nerd 
> > shirt too!
> > http://p.sf.net/sfu/newrelic-dev2dev
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> >
> > Please visit http://blog.snort.org to stay current on all the latest 
> > Snort
> news!
> 
> ----------------------------------------------------------------------
> ------
> --
> Don't let slow site performance ruin your business. Deploy New Relic 
> APM Deploy New Relic app performance management and know exactly what 
> is happening inside your Ruby, Python, PHP, Java, and .NET app Try New 
> Relic at no cost today and get our sweet Data Nerd shirt too!
> http://p.sf.net/sfu/newrelic-dev2dev
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 
> Please visit http://blog.snort.org to stay current on all the latest 
> Snort news!
> 


----------------------------------------------------------------------------
--
Don't let slow site performance ruin your business. Deploy New Relic APM
Deploy New Relic app performance management and know exactly what is
happening inside your Ruby, Python, PHP, Java, and .NET app Try New Relic at
no cost today and get our sweet Data Nerd shirt too!
http://p.sf.net/sfu/newrelic-dev2dev
_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort
news!





More information about the Snort-users mailing list