[Snort-users] Pulledpork doesn't disable some rules
C. L. Martinez
carlopmart at ...11827...
Mon Apr 14 05:29:42 EDT 2014
On Mon, Apr 14, 2014 at 7:32 AM, C. L. Martinez <carlopmart at ...11827...> wrote:
> On Mon, Apr 14, 2014 at 6:22 AM, Y M <snort at ...15979...> wrote:
>> This is probably because of the existence of a flowbit in the rule. You
>> disable it, however, PulledPork checks/verifies flowbits, and will re-enable
>> rules based on that. Can you run your PulledPork command with -v to output
>> in verbose mode? If there is a flowbit conflict with your rule disablement,
>> it will show up in PulledPork output.
> Oops .. You are right YM:
> removed 55 temporary snort files or directories from /tmp/tha_rules!
> Processing /data/config/etc/idpsuricata02/pulledpork/disablesid.conf....
> Disabled 1:2009005
> Disabled 1:2011582
> Modified 2 rules
> Setting Flowbit State....
> WARN - 1:2011582 is re-enabled by a check of the
> ET.http.javaclient.vulnerable flowbit!
> Enabled 39 flowbits
> Writing rules to unique destination files....
> Writing rules to /data/config/etc/idpsuricata02/rules/
> Generating sid-msg.map....
> Writing v1 /data/config/etc/idpsuricata02/sid-msg.map....
> Fly Piggy Fly!
> Uhmm .. How can I avoid this situation??
Ok, I have applied the following solution posted in
modifysid option without luck.
More information about the Snort-users