[Snort-users] disablesid.conf Issue (was Syntax for "ignore=" in Pulledpork)

James Lay jlay at ...13475...
Thu Nov 14 15:12:10 EST 2013


On 2013-11-14 07:56, Stark, Vernon L. wrote:
> Thanks for the help YM.
>
> Unfortunately, I'm not getting 100% success when using
> disablesid.conf. I tried various additions to disablesid.conf
> (ET-chat, emerging-chat.rules, emerging-chat, and ET-chat.rules) and
> get the best results when I include the following line in
> disablesid.conf:
>
> ET-chat
>
> This still leaves 9 active ET chat rules in snort.rules:
>
> # cat snort.rules | grep "ET CHAT" | wc -l
>
> 9
>
> The sids of these chat rules show that they come from the emerging
> chat.rules file. Pulledpork does eliminate the majority of the
> Emerging Threat chat rules, but doesn't disable all the rules. Has
> anyone else run into this issue? Any suggestions for a 
> fix/workaround?
>
> In case it's relevant, I have the following line in pulledpork.conf:
>
> state_order=disable,drop,enable
>
> I'm only using enablesid.conf to enable a single sid.
>
> Vern
>
> FROM: Y M [mailto:snort at ...15979...]
> SENT: Wednesday, November 13, 2013 12:12 PM
> TO: Stark, Vernon L.; snort-users
> SUBJECT: RE: [Snort-users] Syntax for "ignore=" in Pulledpork
>
> Hi,
>
> You need to define the rules/categories you want to ignore/disable in
> the "disbalesid.conf" file. Edit the same file and add:
>
> emerging-chat.rules
>
> The comments/documentation inside the "disbalesid.conf" file should 
> be
> sufficient to get you going. I am not sure of the "ignore" within the
> "pulledpork.conf" will operate on ET rules. Someone else can jump in
> and comment in this regard.
>
> Hope this helps.
>
> YM
>
> -------------------------
>
> From: Vernon.Stark at ...383... [1]
> To: snort-users at lists.sourceforge.net [2]
> Date: Wed, 13 Nov 2013 12:01:36 -0500
> Subject: [Snort-users] Syntax for "ignore=" in Pulledpork
>
> What syntax is required with the "ignore=" line in Pulledpork (0.7.0)
> when ignoring selected Emerging Threats rules? For example, if one
> wants to ignore chat.rules from the Emerging Rules set, what syntax 
> is
> required? I tried all of the following and yet "ET CHAT" rules still
> end up in snort.rules in the enabled state.
>
> ignore=emerging-chat.rules
>
> ignore=ET-chat.rules
>
> ignore=emerging-chat
>
> ignore=ET-chat
>
> I have recent rule downloads, so I've been using the following:
>
> ./pulledpork.pl -c pulledpork.conf -n -P -E
>
> Vern

I've had much luck with the below in pp.conf:

ignore=deleted.rules,experimental.rules,emerging-tor.rules

James




More information about the Snort-users mailing list