[Snort-users] Preprocessor disabling question

SnortFan SnortFan at ...131...
Tue Feb 18 12:47:41 EST 2014


Hi All,
     Other than suppressing in the threshold.conf file on each sensor, what is the best way to disable a few of the preprocessors by Sid #? I've searched and nothing I'm reading is very clear. 

I'm using pulledpork, but would placing a disable in the disablesid.conf work for a preprocessor?

I've read mention of modifying the snort.conf but I don't see how you would block an individual Sid. 

If the only option is the threshold.conf, is it possible to do an include statement in the file, so I would then push out a universal set of suppressions to all my sensors and beable to update them all at once. 

Thanks,
Ed

Sent from a mobile device. 



More information about the Snort-users mailing list