[Snort-users] Pulledpork doesn't disable some rules

C. L. Martinez carlopmart at ...11827...
Mon Apr 14 05:29:42 EDT 2014


On Mon, Apr 14, 2014 at 7:32 AM, C. L. Martinez <carlopmart at ...11827...> wrote:
> On Mon, Apr 14, 2014 at 6:22 AM, Y M <snort at ...15979...> wrote:
>> This is probably because of the existence of a flowbit in the rule. You
>> disable it, however, PulledPork checks/verifies flowbits, and will re-enable
>> rules based on that. Can you run your PulledPork command with -v to output
>> in verbose mode? If there is a flowbit conflict with your rule disablement,
>> it will show up in PulledPork output.
>>
>> YM
>>
>
> Oops .. You are right YM:
>
> Cleanup....
> removed 55 temporary snort files or directories from /tmp/tha_rules!
> Processing /data/config/etc/idpsuricata02/pulledpork/disablesid.conf....
> Disabled 1:2009005
> Disabled 1:2011582
> Modified 2 rules
> Done
> Setting Flowbit State....
> WARN - 1:2011582 is re-enabled by a check of the
> ET.http.javaclient.vulnerable flowbit!
> Enabled 39 flowbits
> Done
> Writing rules to unique destination files....
> Writing rules to /data/config/etc/idpsuricata02/rules/
> Done
> Generating sid-msg.map....
> Done
> Writing v1 /data/config/etc/idpsuricata02/sid-msg.map....
> Done
> Fly Piggy Fly!
>
> Uhmm .. How can I avoid this situation??

Ok, I have applied the following solution posted in
https://code.google.com/p/pulledpork/issues/detail?id=82, using
modifysid option without luck.




More information about the Snort-users mailing list