[Snort-users] SSH MISMATCH

Castle, Shane scastle at ...14946...
Fri Oct 19 10:40:21 EDT 2012


You know, I could be wrong, but my understanding is that these must be turned off by tuning the preprocessor config in the snort.conf, not in disablesid.conf, pulledpork, or by commenting out the rule. They can be suppressed using threshold.conf, of course.

Am I wrong?

-- 
Shane Castle
Data Security Mgr, Boulder County IT

-----Original Message-----
From: Joel Esler [mailto:jesler at ...1935...] 
Sent: Friday, October 19, 2012 08:18
To: AllowOverride
Cc: Michael Steele; snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] SSH MISMATCH

Use the disablesid.conf in pulledpork to turn off this particular rule.


On Oct 18, 2012, at 9:53 PM, AllowOverride <allowoverride at ...11827...> wrote:

> Yes I am using pp. That's what is puzzling me. From what the other user
> said, its built in.
> 
> i guess i will try to recompile then negate it with snort command.
> 
> just a few thoughts. thanks
> 
> 
> n Thu, 2012-10-18 at 20:23 -0400, Michael Steele wrote:
>> Aren't you using PulledPork? 
>> 
>> Michael...
>> 
>> -----Original Message-----
>> From: AllowOverride [mailto:allowoverride at ...11827...] 
>> Sent: Wednesday, October 17, 2012 6:10 PM
>> To: snort-users
>> Subject: [Snort-users] SSH MISMATCH
>> 
>> i am trying to turn off this alert in preproc_rules/preprocessor.rules:
>> 
>> #alert ( msg: "SSH_EVENT_PROTOMISMATCH"; sid: 4; gid: 128; rev: 1;
>> metadata: rule-type preproc, service ssh ;
>> classtype:non-standard-protocol;)
>> 
>> i commented it out, still it shows up in base.
>> 
>> which leads to another logical question: 
>> 
>> how can one find out where a rule lives in the first place.
>> i figured out from base if i mouse over the snort portion it states:
>> 128-4 which i figured you can grep 128 goto the file, 4 entries down, find
>> it that way.
>> 
>> 1. is there another easier way to find them?
>> 
>> 2. lastly, how can i turn it off 128-4 for good.
>> 
>> thanks
>> 
>> 
>> ----------------------------------------------------------------------------
>> --
>> Everyone hates slow websites. So do we.
>> Make your web apps faster with AppDynamics Download AppDynamics Lite for
>> free today:
>> http://p.sf.net/sfu/appdyn_sfd2d_oct
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>> 
>> Please visit http://blog.snort.org to stay current on all the latest Snort
>> news!
>> 
>> 
>> ------------------------------------------------------------------------------
>> Everyone hates slow websites. So do we.
>> Make your web apps faster with AppDynamics
>> Download AppDynamics Lite for free today:
>> http://p.sf.net/sfu/appdyn_sfd2d_oct
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>> 
>> Please visit http://blog.snort.org to stay current on all the latest Snort news!
> 
> 
> ------------------------------------------------------------------------------
> Everyone hates slow websites. So do we.
> Make your web apps faster with AppDynamics
> Download AppDynamics Lite for free today:
> http://p.sf.net/sfu/appdyn_sfd2d_oct
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> 
> Please visit http://blog.snort.org to stay current on all the latest Snort news!


------------------------------------------------------------------------------
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_sfd2d_oct
_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!




More information about the Snort-users mailing list