[Snort-users] Commented rule triggering alerts

waldo kitty wkitty42 at ...14940...
Wed Apr 10 16:12:58 EDT 2013


On 4/10/2013 15:54, Joao Daniel Neves wrote:
> Hi,
>
> I have a lot of ICMP/Ping alerts. So I decided to remove the rule that was
> triggering those alerts. The sid of the rule is 381.
> I did the following:
>
> /cd /etc/snort/rules
>
> grep -wril 'sid:381' ./*
> ./icmp-info.rules
>
> vim icmp-info.rules
> /
> I found the line and then commented it by placing an "#" in the begging of the
> line. I stopped Snort and then stated it again.
>
> And I still get alert for that SID. What can I do to solve it ?

please ensure to post the whole identifier of a rule, GID:SID, so that you and 
we can be sure we're talking about the same thing...

the rule you commented out in icmp-info.rules would appear to be 1:381 but you 
might have a 3:381 rule doing the alerting instead...

GID 1 is the regular text file rules
GID 3 is the SO dynamic rules

there are numerous GIDs (Generator IDentifier) in snort and each has its own 
number... most of them are going to be internal to snort in the preprocessors 
and similar modules...

so, with all that said, is your alert 1:381 or 3:381??




More information about the Snort-users mailing list