[Snort-users] Disabling Rules via disablesid.conf

Jason Wallace jason.r.wallace at ...11827...
Fri Feb 6 12:17:59 EST 2015


Yes, you should enable these. There are options in pulledpork.conf to
handle those. Look for "sorule_path" and "distro" in pulledpork.conf and
makes sure you are not passing -T on the command line.

On Fri, Feb 6, 2015 at 11:54 AM, Vona, Steven A CIV NSWCCD Philadelphia,
10411 <steven.vona at ...7622...> wrote:

> I have snort.conf pointing to so_rules directory which holds
> bad_traffic.rules.
>
> It looks like my so_rules directory hasn't been updated since 2012.  Are
> these needed?
>
> -----Original Message-----
> From: Jason Wallace [mailto:jason.r.wallace at ...11827...]
> Sent: Friday, February 06, 2015 10:32 AM
> To: Y M
> Cc: Vona, Steven A CIV NSWCCD Philadelphia, 10411; snort-users
> Subject: Re: [Snort-users] Disabling Rules via disablesid.conf
>
> Also, make sure that your snort.conf is actually pointing to the file(s)
> being created/edited by pulledpork. The current registered version of
> bad_traffic.rules doesn't have any rules in it, so this makes me wonder if
> your snort.conf isn't pointed at the correct rule file(s).
>
> On Fri, Feb 6, 2015 at 9:30 AM, Y M <snort at ...15979...> wrote:
>
>
>
>
>         > From: steven.vona at ...7622...
>         > To: snort at ...15979...
>         > CC: snort-users at lists.sourceforge.net
>         > Subject: RE: [Snort-users] Disabling Rules via disablesid.conf
>         > Date: Fri, 6 Feb 2015 14:16:22 +0000
>         >
>         > Thanks for the heads up. I followed your troubleshooting steps
> and I found the offending alert in bad_traffic.rules file. I deleted the
> line and it looks like they are disabled now.
>
>         # Glad that you found the source of the issue. Just keep in mind
> that manual changes to .rules files, i.e.: deleting/commenting rules, will
> be overridden by the next rules update. Just a wild guess here, but from
> what you said you may have these two rules in multiple .rules files, which
> eventually are included in snort.conf. When running Snort, does the startup
> messages indicate anything about duplicate rules? Just to further verify.
>
>         >
>         > Thanks again.
>         >
>         > -----Original Message-----
>         > From: Y M [mailto:snort at ...15979...]
>         > Sent: Friday, February 06, 2015 2:16 AM
>         > To: Vona, Steven A CIV NSWCCD Philadelphia, 10411
>         > Cc: snort-users
>         > Subject: RE: [Snort-users] Disabling Rules via disablesid.conf
>         >
>         > Comments inline.
>         >
>         >
>         > From: steven.vona at ...7622...
>         > To: snort-users at lists.sourceforge.net
>         > Date: Thu, 5 Feb 2015 20:47:40 +0000
>         > Subject: [Snort-users] Disabling Rules via disablesid.conf
>         >
>         >
>         > I have Snort running on a few sensors around our network. We
> have subscriptions for the rules and we use pulledpork to download the
> rules daily.
>         >
>         > I am not attempting to turn the rules a little bit to disable
> some items that we do not need to see. I put these in disablesid.conf file
> and when I run pulled pork I see:
>         >
>         > Processing /etc/snort/disablesid.conf....
>         > Disabled 3:21355
>         > Disabled 3:19187
>         > Modified 2 rules
>         > Done
>         >
>         > So it looks like it is disabling the rule, however I am still
> receiving alerts for the rule in my database.
>         >
>         > Any ideas?
>         > ## Some ideas to troubleshoot: 1) verify that the same sids are
> not included in the enablesid.conf (lame but why not). 2) Has the order in
> which PulledPork processes rules been changed?. 3) if you grep for the sids
> from the snort.rules (given you reconcile rules vi PulledPork), do they
> exist? 4) Are these two rules included in another .rules file (local.rules
> or so)?
>         >
>         >
>         > Additional info:
>         >
>         > ,,_ -*> Snort! <*-
>         > o" )~ Version 2.9.6.2 GRE (Build 77)
>         > '''' By Martin Roesch & The Snort Team:
> http://www.snort.org/snort/snort-team
>         > Copyright (C) 2014 Cisco and/or its affiliates. All rights
> reserved.
>         > Copyright (C) 1998-2013 Sourcefire, Inc., et al.
>         > Using libpcap version 1.3.0
>         > Using PCRE version: 7.8 2008-09-05
>         > Using ZLIB version: 1.2.3
>         >
>         >
> ------------------------------------------------------------------------------
> Dive into the World of Parallel Programming. The Go Parallel Website,
> sponsored by Intel and developed in partnership with Slashdot Media, is
> your hub for all things parallel software development, from weekly thought
> leadership blogs to news, videos, case studies, tutorials and more. Take a
> look and join the conversation now. http://goparallel.sourceforge.net/
>         > _______________________________________________ Snort-users
> mailing list Snort-users at lists.sourceforge.net Go to this URL to change
> user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list
> archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
>
>
>
> ------------------------------------------------------------------------------
>         Dive into the World of Parallel Programming. The Go Parallel
> Website,
>         sponsored by Intel and developed in partnership with Slashdot
> Media, is your
>         hub for all things parallel software development, from weekly
> thought
>         leadership blogs to news, videos, case studies, tutorials and
> more. Take a
>         look and join the conversation now.
> http://goparallel.sourceforge.net/
>         _______________________________________________
>         Snort-users mailing list
>         Snort-users at lists.sourceforge.net
>         Go to this URL to change user options or unsubscribe:
>         https://lists.sourceforge.net/lists/listinfo/snort-users
>         Snort-users list archive:
>
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
>         Please visit http://blog.snort.org to stay current on all the
> latest Snort news!
>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20150206/c2f47193/attachment.html>


More information about the Snort-users mailing list