[Snort-users] SSH MISMATCH

Joel Esler jesler at ...1935...
Fri Oct 19 10:17:49 EDT 2012


Use the disablesid.conf in pulledpork to turn off this particular rule.


On Oct 18, 2012, at 9:53 PM, AllowOverride <allowoverride at ...11827...> wrote:

> Yes I am using pp. That's what is puzzling me. From what the other user
> said, its built in.
> 
> i guess i will try to recompile then negate it with snort command.
> 
> just a few thoughts. thanks
> 
> 
> n Thu, 2012-10-18 at 20:23 -0400, Michael Steele wrote:
>> Aren't you using PulledPork? 
>> 
>> Michael...
>> 
>> -----Original Message-----
>> From: AllowOverride [mailto:allowoverride at ...11827...] 
>> Sent: Wednesday, October 17, 2012 6:10 PM
>> To: snort-users
>> Subject: [Snort-users] SSH MISMATCH
>> 
>> i am trying to turn off this alert in preproc_rules/preprocessor.rules:
>> 
>> #alert ( msg: "SSH_EVENT_PROTOMISMATCH"; sid: 4; gid: 128; rev: 1;
>> metadata: rule-type preproc, service ssh ;
>> classtype:non-standard-protocol;)
>> 
>> i commented it out, still it shows up in base.
>> 
>> which leads to another logical question: 
>> 
>> how can one find out where a rule lives in the first place.
>> i figured out from base if i mouse over the snort portion it states:
>> 128-4 which i figured you can grep 128 goto the file, 4 entries down, find
>> it that way.
>> 
>> 1. is there another easier way to find them?
>> 
>> 2. lastly, how can i turn it off 128-4 for good.
>> 
>> thanks
>> 
>> 
>> ----------------------------------------------------------------------------
>> --
>> Everyone hates slow websites. So do we.
>> Make your web apps faster with AppDynamics Download AppDynamics Lite for
>> free today:
>> http://p.sf.net/sfu/appdyn_sfd2d_oct
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>> 
>> Please visit http://blog.snort.org to stay current on all the latest Snort
>> news!
>> 
>> 
>> ------------------------------------------------------------------------------
>> Everyone hates slow websites. So do we.
>> Make your web apps faster with AppDynamics
>> Download AppDynamics Lite for free today:
>> http://p.sf.net/sfu/appdyn_sfd2d_oct
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>> 
>> Please visit http://blog.snort.org to stay current on all the latest Snort news!
> 
> 
> ------------------------------------------------------------------------------
> Everyone hates slow websites. So do we.
> Make your web apps faster with AppDynamics
> Download AppDynamics Lite for free today:
> http://p.sf.net/sfu/appdyn_sfd2d_oct
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> 
> Please visit http://blog.snort.org to stay current on all the latest Snort news!





More information about the Snort-users mailing list