[Snort-users] Disabling Rules via disablesid.conf

Vona, Steven A CIV NSWCCD Philadelphia, 10411 steven.vona at ...7622...
Thu Feb 5 15:47:40 EST 2015

I have Snort running on a few sensors around our network.  We have subscriptions for the rules and we use pulledpork to download the rules daily.

I am not attempting to turn the rules a little bit to disable some items that we do not need to see.  I put these in disablesid.conf file and when I run pulled pork I see:

Processing /etc/snort/disablesid.conf....
	Disabled 3:21355
	Disabled 3:19187
	Modified 2 rules

So it looks like it is disabling the rule, however I am still receiving alerts for the rule in my database.

Any ideas?

Additional info:

   ,,_     -*> Snort! <*-
  o"  )~   Version GRE (Build 77) 
   ''''    By Martin Roesch & The Snort Team: http://www.snort.org/snort/snort-team
           Copyright (C) 2014 Cisco and/or its affiliates. All rights reserved.
           Copyright (C) 1998-2013 Sourcefire, Inc., et al.
           Using libpcap version 1.3.0
           Using PCRE version: 7.8 2008-09-05
           Using ZLIB version: 1.2.3
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5607 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20150205/81e50437/attachment.bin>

More information about the Snort-users mailing list