[Snort-users] SSH MISMATCH

AllowOverride allowoverride at ...11827...
Sat Oct 20 02:46:08 EDT 2012



Preproc implies "inline", i am not running inline, therefore, i shut
them off... with instructions in pulledpork.conf. i took # away as well
in preproccessor rules... IDS mode, it's a diff story/conf all together.
not there yet... eventually. have to figure out/read about inline
later..

thanks, enjoy

On Fri, 2012-10-19 at 14:40 +0000, Castle, Shane wrote:
> You know, I could be wrong, but my understanding is that these must be turned off by tuning the preprocessor config in the snort.conf, not in disablesid.conf, pulledpork, or by commenting out the rule. They can be suppressed using threshold.conf, of course.
> 
> Am I wrong?
> 
> -- 
> Shane Castle
> Data Security Mgr, Boulder County IT
> 
> -----Original Message-----
> From: Joel Esler [mailto:jesler at ...1935...] 
> Sent: Friday, October 19, 2012 08:18
> To: AllowOverride
> Cc: Michael Steele; snort-users at lists.sourceforge.net
> Subject: Re: [Snort-users] SSH MISMATCH
> 
> Use the disablesid.conf in pulledpork to turn off this particular rule.
> 
> 
> On Oct 18, 2012, at 9:53 PM, AllowOverride <allowoverride at ...11827...> wrote:
> 
> > Yes I am using pp. That's what is puzzling me. From what the other user
> > said, its built in.
> > 
> > i guess i will try to recompile then negate it with snort command.
> > 
> > just a few thoughts. thanks
> > 
> > 
> > n Thu, 2012-10-18 at 20:23 -0400, Michael Steele wrote:
> >> Aren't you using PulledPork? 
> >> 
> >> Michael...
> >> 
> >> -----Original Message-----
> >> From: AllowOverride [mailto:allowoverride at ...11827...] 
> >> Sent: Wednesday, October 17, 2012 6:10 PM
> >> To: snort-users
> >> Subject: [Snort-users] SSH MISMATCH
> >> 
> >> i am trying to turn off this alert in preproc_rules/preprocessor.rules:
> >> 
> >> #alert ( msg: "SSH_EVENT_PROTOMISMATCH"; sid: 4; gid: 128; rev: 1;
> >> metadata: rule-type preproc, service ssh ;
> >> classtype:non-standard-protocol;)
> >> 
> >> i commented it out, still it shows up in base.
> >> 
> >> which leads to another logical question: 
> >> 
> >> how can one find out where a rule lives in the first place.
> >> i figured out from base if i mouse over the snort portion it states:
> >> 128-4 which i figured you can grep 128 goto the file, 4 entries down, find
> >> it that way.
> >> 
> >> 1. is there another easier way to find them?
> >> 
> >> 2. lastly, how can i turn it off 128-4 for good.
> >> 
> >> thanks
> >> 
> >> 
> >> ----------------------------------------------------------------------------
> >> --
> >> Everyone hates slow websites. So do we.
> >> Make your web apps faster with AppDynamics Download AppDynamics Lite for
> >> free today:
> >> http://p.sf.net/sfu/appdyn_sfd2d_oct
> >> _______________________________________________
> >> Snort-users mailing list
> >> Snort-users at lists.sourceforge.net
> >> Go to this URL to change user options or unsubscribe:
> >> https://lists.sourceforge.net/lists/listinfo/snort-users
> >> Snort-users list archive:
> >> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> >> 
> >> Please visit http://blog.snort.org to stay current on all the latest Snort
> >> news!
> >> 
> >> 
> >> ------------------------------------------------------------------------------
> >> Everyone hates slow websites. So do we.
> >> Make your web apps faster with AppDynamics
> >> Download AppDynamics Lite for free today:
> >> http://p.sf.net/sfu/appdyn_sfd2d_oct
> >> _______________________________________________
> >> Snort-users mailing list
> >> Snort-users at lists.sourceforge.net
> >> Go to this URL to change user options or unsubscribe:
> >> https://lists.sourceforge.net/lists/listinfo/snort-users
> >> Snort-users list archive:
> >> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> >> 
> >> Please visit http://blog.snort.org to stay current on all the latest Snort news!
> > 
> > 
> > ------------------------------------------------------------------------------
> > Everyone hates slow websites. So do we.
> > Make your web apps faster with AppDynamics
> > Download AppDynamics Lite for free today:
> > http://p.sf.net/sfu/appdyn_sfd2d_oct
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> > 
> > Please visit http://blog.snort.org to stay current on all the latest Snort news!
> 
> 
> ------------------------------------------------------------------------------
> Everyone hates slow websites. So do we.
> Make your web apps faster with AppDynamics
> Download AppDynamics Lite for free today:
> http://p.sf.net/sfu/appdyn_sfd2d_oct
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> 
> Please visit http://blog.snort.org to stay current on all the latest Snort news!





More information about the Snort-users mailing list