[Snort-users] How to turn off a rule

JJC cummingsj at ...11827...
Fri Oct 12 14:41:54 EDT 2012


As a quick note, suppressing an entire SID is pretty inefficient.. it only
suppresses the alert form being recorded, the rule itself still loads into
memory and traffic is still evaluated against it.  In almost every case
where you are generically suppressing a SID, you should instead be
disabling the SID.

JJC

On Fri, Oct 12, 2012 at 8:45 AM, Craft, Robert <Robert.Craft at ...15608...
> wrote:

> There's always disabledsid.conf and/or threshold.conf
>
> dsisabledsid is more of an OFF switch for a rule while threshold allows
> tuning (and off as well)
>
> threshold.conf examples:
> These filter based on the source ip
> suppress gen_id 1 , sig_id 2001689, track by_src, ip xxx.xxx.xxx.xxx
> suppress gen_id 1 , sig_id 2001689, track by_src, ip xxx.xxx.xxx.xxx
> suppress gen_id 1 , sig_id 2003068, track by_src, ip xxx.xxx.xxx.xxx
> # engineer's SSH scans
>
> This one is an off switch
> suppress gen_id 1 , sig_id 2010936
> # shutting up ET POLICY Suspicious inbound to Oracle SQL port 1521 alert
> going off on any traffic
>
> A disabledsid.conf entry looks more like this:
> 1:2010936
> # shutting up ET POLICY Suspicious inbound to Oracle SQL port 1521 alert
> going off on any traffic
>
>
>
>
> ------------------------------------------------------------------------------
> Don't let slow site performance ruin your business. Deploy New Relic APM
> Deploy New Relic app performance management and know exactly
> what is happening inside your Ruby, Python, PHP, Java, and .NET app
> Try New Relic at no cost today and get our sweet Data Nerd shirt too!
> http://p.sf.net/sfu/newrelic-dev2dev
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20121012/896dce71/attachment.html>


More information about the Snort-users mailing list