[Snort-users] Disabling Rules via disablesid.conf

Jason Wallace jason.r.wallace at ...11827...
Fri Feb 6 10:32:23 EST 2015


Also, make sure that your snort.conf is actually pointing to the file(s)
being created/edited by pulledpork. The current registered version of
bad_traffic.rules
doesn't have any rules in it, so this makes me wonder if your snort.conf
isn't pointed at the correct rule file(s).

On Fri, Feb 6, 2015 at 9:30 AM, Y M <snort at ...15979...> wrote:

>
>
> > From: steven.vona at ...7622...
> > To: snort at ...15979...
> > CC: snort-users at lists.sourceforge.net
> > Subject: RE: [Snort-users] Disabling Rules via disablesid.conf
> > Date: Fri, 6 Feb 2015 14:16:22 +0000
> >
> > Thanks for the heads up. I followed your troubleshooting steps and I
> found the offending alert in bad_traffic.rules file. I deleted the line and
> it looks like they are disabled now.
>
> # Glad that you found the source of the issue. Just keep in mind that
> manual changes to .rules files, i.e.: deleting/commenting rules, will be
> overridden by the next rules update. Just a wild guess here, but from what
> you said you may have these two rules in multiple .rules files, which
> eventually are included in snort.conf. When running Snort, does the startup
> messages indicate anything about duplicate rules? Just to further verify.
>
> >
> > Thanks again.
> >
> > -----Original Message-----
> > From: Y M [mailto:snort at ...15979...]
> > Sent: Friday, February 06, 2015 2:16 AM
> > To: Vona, Steven A CIV NSWCCD Philadelphia, 10411
> > Cc: snort-users
> > Subject: RE: [Snort-users] Disabling Rules via disablesid.conf
> >
> > Comments inline.
> >
> >
> > From: steven.vona at ...7622...
> > To: snort-users at lists.sourceforge.net
> > Date: Thu, 5 Feb 2015 20:47:40 +0000
> > Subject: [Snort-users] Disabling Rules via disablesid.conf
> >
> >
> > I have Snort running on a few sensors around our network. We have
> subscriptions for the rules and we use pulledpork to download the rules
> daily.
> >
> > I am not attempting to turn the rules a little bit to disable some items
> that we do not need to see. I put these in disablesid.conf file and when I
> run pulled pork I see:
> >
> > Processing /etc/snort/disablesid.conf....
> > Disabled 3:21355
> > Disabled 3:19187
> > Modified 2 rules
> > Done
> >
> > So it looks like it is disabling the rule, however I am still receiving
> alerts for the rule in my database.
> >
> > Any ideas?
> > ## Some ideas to troubleshoot: 1) verify that the same sids are not
> included in the enablesid.conf (lame but why not). 2) Has the order in
> which PulledPork processes rules been changed?. 3) if you grep for the sids
> from the snort.rules (given you reconcile rules vi PulledPork), do they
> exist? 4) Are these two rules included in another .rules file (local.rules
> or so)?
> >
> >
> > Additional info:
> >
> > ,,_ -*> Snort! <*-
> > o" )~ Version 2.9.6.2 GRE (Build 77)
> > '''' By Martin Roesch & The Snort Team:
> http://www.snort.org/snort/snort-team
> > Copyright (C) 2014 Cisco and/or its affiliates. All rights reserved.
> > Copyright (C) 1998-2013 Sourcefire, Inc., et al.
> > Using libpcap version 1.3.0
> > Using PCRE version: 7.8 2008-09-05
> > Using ZLIB version: 1.2.3
> >
> >
> ------------------------------------------------------------------------------
> Dive into the World of Parallel Programming. The Go Parallel Website,
> sponsored by Intel and developed in partnership with Slashdot Media, is
> your hub for all things parallel software development, from weekly thought
> leadership blogs to news, videos, case studies, tutorials and more. Take a
> look and join the conversation now. http://goparallel.sourceforge.net/
> > _______________________________________________ Snort-users mailing list
> Snort-users at lists.sourceforge.net Go to this URL to change user options
> or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
>
>
> ------------------------------------------------------------------------------
> Dive into the World of Parallel Programming. The Go Parallel Website,
> sponsored by Intel and developed in partnership with Slashdot Media, is
> your
> hub for all things parallel software development, from weekly thought
> leadership blogs to news, videos, case studies, tutorials and more. Take a
> look and join the conversation now. http://goparallel.sourceforge.net/
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20150206/631a38ce/attachment.html>


More information about the Snort-users mailing list