[Snort-users] Commented rule triggering alerts

Joel Esler jesler at ...1935...
Wed Apr 10 16:03:52 EDT 2013


On Apr 10, 2013, at 3:54 PM, Joao Daniel Neves <joaodanielnevesss at ...125...> wrote:

> Hi,
> 
> I have a lot of ICMP/Ping alerts. So I decided to remove the rule that was triggering those alerts. The  sid of the rule is 381.
> I  did the following:
> 
> cd /etc/snort/rules
> 
> grep -wril 'sid:381' ./*
> ./icmp-info.rules
> 
> vim icmp-info.rules
> 
> I found the line and then commented it by placing an "#" in the begging of the line. I stopped Snort and then stated it again.
> 
> And I still get alert for that SID. What can I do to solve it ?

Are you using pulledpork?

--
Joel Esler
Senior Research Engineer, VRT
OpenSource Community Manager
Sourcefire
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20130410/8cb4224b/attachment.html>


More information about the Snort-users mailing list