[Snort-users] Pulledpork doesn't disable some rules
C. L. Martinez
carlopmart at ...11827...
Mon Apr 14 03:32:02 EDT 2014
On Mon, Apr 14, 2014 at 6:22 AM, Y M <snort at ...15979...> wrote:
> This is probably because of the existence of a flowbit in the rule. You
> disable it, however, PulledPork checks/verifies flowbits, and will re-enable
> rules based on that. Can you run your PulledPork command with -v to output
> in verbose mode? If there is a flowbit conflict with your rule disablement,
> it will show up in PulledPork output.
Oops .. You are right YM:
removed 55 temporary snort files or directories from /tmp/tha_rules!
Modified 2 rules
Setting Flowbit State....
WARN - 1:2011582 is re-enabled by a check of the
Enabled 39 flowbits
Writing rules to unique destination files....
Writing rules to /data/config/etc/idpsuricata02/rules/
Writing v1 /data/config/etc/idpsuricata02/sid-msg.map....
Fly Piggy Fly!
Uhmm .. How can I avoid this situation??
More information about the Snort-users