[Snort-users] Preprocessor disabling question

Joel Esler (jesler) jesler at ...589...
Tue Feb 18 15:11:02 EST 2014


On Feb 18, 2014, at 12:47 PM, SnortFan <SnortFan at ...131...<mailto:SnortFan at ...131...>> wrote:

    Other than suppressing in the threshold.conf file on each sensor, what is the best way to disable a few of the preprocessors by Sid #? I've searched and nothing I'm reading is very clear.

You could comment them out in preprocessor.rules.

I'm using pulledpork, but would placing a disable in the disablesid.conf work for a preprocessor?

I think so, but I’m not 100% on that, I’d defer that questions to JJ.

I've read mention of modifying the snort.conf but I don't see how you would block an individual Sid.

If the only option is the threshold.conf, is it possible to do an include statement in the file, so I would then push out a universal set of suppressions to all my sensors and beable to update them all at once.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20140218/634ad831/attachment.html>


More information about the Snort-users mailing list