[Snort-users] How to turn off a rule

Craft, Robert Robert.Craft at ...15608...
Fri Oct 12 10:45:05 EDT 2012


There's always disabledsid.conf and/or threshold.conf 

dsisabledsid is more of an OFF switch for a rule while threshold allows tuning (and off as well)

threshold.conf examples:
These filter based on the source ip
suppress gen_id 1 , sig_id 2001689, track by_src, ip xxx.xxx.xxx.xxx
suppress gen_id 1 , sig_id 2001689, track by_src, ip xxx.xxx.xxx.xxx
suppress gen_id 1 , sig_id 2003068, track by_src, ip xxx.xxx.xxx.xxx
# engineer's SSH scans

This one is an off switch
suppress gen_id 1 , sig_id 2010936
# shutting up ET POLICY Suspicious inbound to Oracle SQL port 1521 alert going off on any traffic

A disabledsid.conf entry looks more like this:
1:2010936
# shutting up ET POLICY Suspicious inbound to Oracle SQL port 1521 alert going off on any traffic






More information about the Snort-users mailing list