[Snort-users] How to turn off a rule

AllowOverride allowoverride at ...11827...
Fri Oct 12 12:56:17 EDT 2012


jeremy thats enough, drop the attitude

On Fri, 2012-10-12 at 00:23 +0000, Jeremy Hoel wrote:
> If its stupid and it works, its not stupid. In the top 10 results are
> the answers to your problem.  But hey, you can ask the same question
> on the mailing list and let someone get around to answering vs finding
> the answer online and moving to your next problem. 
> 
> On Oct 11, 2012 6:04 PM, "AllowOverride" <allowoverride at ...11827...>
> wrote:
>         i disagree... completely, google yields hundreds of hits, i
>         cant believe
>         you actually pulled a 2008 joke on me like that,, you are 2000
>         late
>         dude.. lolol
>         
>         On Thu, 2012-10-11 at 21:52 +0000, Jeremy Hoel wrote:
>         > Because the question you asked is easily answered by doing a
>         google search.
>         >
>         > You asked about how to disable a rule, I answered that, and
>         then
>         > pointed to conversations about the particular error you are
>         seeing.
>         > Because it's probably not a rule, but a preprocessor.
>         >
>         > And because google can be your friend if you use it, quick
>         answers to
>         > common problems..
>         >
>         >
>         > On Thu, Oct 11, 2012 at 9:36 PM, AllowOverride
>         <allowoverride at ...11827...> wrote:
>         > > why are you sending me to google?
>         > >
>         > > On Thu, 2012-10-11 at 19:39 +0000, Jeremy Hoel wrote:
>         > >> You comment our a rule that you don't want, then restart
>         snort for
>         > >> that change to take effect.
>         > >>
>         > >> In the case of SSH protocal mismatches, it's probably not
>         a rule, but
>         > >> the preprocessor.. in which case;
>         > >>
>         > >> http://lmgtfy.com/?q=snort+ssh+Protocol+mismatch
>         > >>
>         > >> There's been a lot of talk about various way to disable
>         to alert to
>         > >> match your needs.
>         > >>
>         > >>
>         > >>
>         > >> On Thu, Oct 11, 2012 at 7:31 PM, AllowOverride
>         <allowoverride at ...11827...> wrote:
>         > >> > ok, my understanding is to turn off a rule in
>         snort.rules by simply
>         > >> > putting a # or commenting it out, in front of the rule.
>         > >> >
>         > >> > my question is:
>         > >> >
>         > >> >             #22-(2-5946)
>         > >> > [snort] ssh: Protocol mismatch
>         > >> >
>         > >> > turn off this rule.
>         > >> >
>         > >> > what do i look for, there are a shyt load of ssh rules.
>         > >> > maybe look for leading line stating 22?
>         > >> >
>         > >> > or grep 5946, in snort.rules, right?
>         > >> >
>         > >> > thanks!
>         > >> >
>         > >> > ps this is a false positive, as i am 192.168.1.35
>         connecting to
>         > >> > 192.168.1.14.. its me.
>         > >> >
>         > >> >
>         > >> >
>         ------------------------------------------------------------------------------
>         > >> > Don't let slow site performance ruin your business.
>         Deploy New Relic APM
>         > >> > Deploy New Relic app performance management and know
>         exactly
>         > >> > what is happening inside your Ruby, Python, PHP, Java,
>         and .NET app
>         > >> > Try New Relic at no cost today and get our sweet Data
>         Nerd shirt too!
>         > >> > http://p.sf.net/sfu/newrelic-dev2dev
>         > >> > _______________________________________________
>         > >> > Snort-users mailing list
>         > >> > Snort-users at lists.sourceforge.net
>         > >> > Go to this URL to change user options or unsubscribe:
>         > >> >
>         https://lists.sourceforge.net/lists/listinfo/snort-users
>         > >> > Snort-users list archive:
>         > >> >
>         http://www.geocrawler.com/redir-sf.php3?list=snort-users
>         > >> >
>         > >> > Please visit http://blog.snort.org to stay current on
>         all the latest Snort news!
>         > >
>         





More information about the Snort-users mailing list