[Snort-users] Commented rule triggering alerts
wkitty42 at ...14940...
Wed Apr 10 16:12:58 EDT 2013
On 4/10/2013 15:54, Joao Daniel Neves wrote:
> I have a lot of ICMP/Ping alerts. So I decided to remove the rule that was
> triggering those alerts. The sid of the rule is 381.
> I did the following:
> /cd /etc/snort/rules
> grep -wril 'sid:381' ./*
> vim icmp-info.rules
> I found the line and then commented it by placing an "#" in the begging of the
> line. I stopped Snort and then stated it again.
> And I still get alert for that SID. What can I do to solve it ?
please ensure to post the whole identifier of a rule, GID:SID, so that you and
we can be sure we're talking about the same thing...
the rule you commented out in icmp-info.rules would appear to be 1:381 but you
might have a 3:381 rule doing the alerting instead...
GID 1 is the regular text file rules
GID 3 is the SO dynamic rules
there are numerous GIDs (Generator IDentifier) in snort and each has its own
number... most of them are going to be internal to snort in the preprocessors
and similar modules...
so, with all that said, is your alert 1:381 or 3:381??
More information about the Snort-users