[Snort-users] Preprocessor disabling question

SnortFan SnortFan at ...131...
Tue Feb 18 16:56:17 EST 2014


If I place an entry in the disablesid.conf. For example: 129:12 

It does take the preprocessor out of the snort.rules file. 

Would that be ok or am I going to break something?

Thanks,
Ed

Sent from a mobile device. 

> On Feb 18, 2014, at 4:37 PM, SnortFan <SnortFan at ...131...> wrote:
> 
> Aren't they now rolled into the snort.rules file in the VRT-preprocessor Rules Category? I no longer push a preprocessor.rules file to my sensors. I'm using pulledpork v7. 
> 
> Thanks,
> Ed
> 
> Sent from a mobile device. 
> 
>> On Feb 18, 2014, at 3:11 PM, "Joel Esler (jesler)" <jesler at ...589...> wrote:
>> 
>> On Feb 18, 2014, at 12:47 PM, SnortFan <SnortFan at ...131...> wrote:
>> 
>>>     Other than suppressing in the threshold.conf file on each sensor, what is the best way to disable a few of the preprocessors by Sid #? I've searched and nothing I'm reading is very clear. 
>> 
>> You could comment them out in preprocessor.rules.
>> 
>>> I'm using pulledpork, but would placing a disable in the disablesid.conf work for a preprocessor?
>> 
>> I think so, but I’m not 100% on that, I’d defer that questions to JJ.
>> 
>>> I've read mention of modifying the snort.conf but I don't see how you would block an individual Sid. 
>>> 
>>> If the only option is the threshold.conf, is it possible to do an include statement in the file, so I would then push out a universal set of suppressions to all my sensors and beable to update them all at once. 
>> 
>> ------------------------------------------------------------------------------
>> Managing the Performance of Cloud-Based Applications
>> Take advantage of what the Cloud has to offer - Avoid Common Pitfalls.
>> Read the Whitepaper.
>> http://pubads.g.doubleclick.net/gampad/clk?id=121054471&iu=/4140/ostg.clktrk
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>> 
>> Please visit http://blog.snort.org to stay current on all the latest Snort news!
> ------------------------------------------------------------------------------
> Managing the Performance of Cloud-Based Applications
> Take advantage of what the Cloud has to offer - Avoid Common Pitfalls.
> Read the Whitepaper.
> http://pubads.g.doubleclick.net/gampad/clk?id=121054471&iu=/4140/ostg.clktrk
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> 
> Please visit http://blog.snort.org to stay current on all the latest Snort news!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20140218/0ad3b7b4/attachment.html>


More information about the Snort-users mailing list