[Snort-users] Pulledpork doesn't disable some rules

C. L. Martinez carlopmart at ...11827...
Mon Apr 14 03:32:02 EDT 2014


On Mon, Apr 14, 2014 at 6:22 AM, Y M <snort at ...15979...> wrote:
> This is probably because of the existence of a flowbit in the rule. You
> disable it, however, PulledPork checks/verifies flowbits, and will re-enable
> rules based on that. Can you run your PulledPork command with -v to output
> in verbose mode? If there is a flowbit conflict with your rule disablement,
> it will show up in PulledPork output.
>
> YM
>

Oops .. You are right YM:

Cleanup....
removed 55 temporary snort files or directories from /tmp/tha_rules!
Processing /data/config/etc/idpsuricata02/pulledpork/disablesid.conf....
Disabled 1:2009005
Disabled 1:2011582
Modified 2 rules
Done
Setting Flowbit State....
WARN - 1:2011582 is re-enabled by a check of the
ET.http.javaclient.vulnerable flowbit!
Enabled 39 flowbits
Done
Writing rules to unique destination files....
Writing rules to /data/config/etc/idpsuricata02/rules/
Done
Generating sid-msg.map....
Done
Writing v1 /data/config/etc/idpsuricata02/sid-msg.map....
Done
Fly Piggy Fly!

Uhmm .. How can I avoid this situation??




More information about the Snort-users mailing list