[Snort-users] Disabling Rules via disablesid.conf

Jason Wallace jason.r.wallace at ...11827...
Fri Feb 6 13:05:38 EST 2015


Make sure you use 3:<sid> and not 1:<sid> in your PP files. All the
so_rules are gid:3.

On Fri, Feb 6, 2015 at 1:00 PM, Y M <snort at ...15979...> wrote:

>
>
> > From: steven.vona at ...7622...
> > To: jason.r.wallace at ...11827...
> > CC: snort at ...15979...; snort-users at lists.sourceforge.net
> > Subject: RE: [Snort-users] Disabling Rules via disablesid.conf
> > Date: Fri, 6 Feb 2015 17:33:02 +0000
> >
> > How do they get updated if not by pulledpork? And if I do enable these,
> how do I then disable certain SIDs that may show up in one of these files?
>
> If not updating via PulledPork then you manually copy the .so rules and
> associated .rules (text) from the ruleset tarball to their respective
> directories, for example
> cp so_rules/*.rules /path/to/snort/so_rules/
> cp so_rules/precompiled/<OS_TYPE>/<ARCHI>/<SNORT_VERSION>/*.so
> /path/to/snort/lib/snort_dynamicrules
>
> You can disable them using their sids, taken from the associated text
> rules file.
>
> >
> >
> >
> > -----Original Message-----
> > From: Jason Wallace [mailto:jason.r.wallace at ...11827...]
> > Sent: Friday, February 06, 2015 12:18 PM
> > To: Vona, Steven A CIV NSWCCD Philadelphia, 10411
> > Cc: Y M; snort-users
> > Subject: Re: [Snort-users] Disabling Rules via disablesid.conf
> >
> > Yes, you should enable these. There are options in pulledpork.conf to
> handle those. Look for "sorule_path" and "distro" in pulledpork.conf and
> makes sure you are not passing -T on the command line.
> >
> > On Fri, Feb 6, 2015 at 11:54 AM, Vona, Steven A CIV NSWCCD Philadelphia,
> 10411 <steven.vona at ...7622...> wrote:
> >
> >
> > I have snort.conf pointing to so_rules directory which holds
> bad_traffic.rules.
> >
> > It looks like my so_rules directory hasn't been updated since 2012. Are
> these needed?
> >
> >
> > -----Original Message-----
> > From: Jason Wallace [mailto:jason.r.wallace at ...11827...]
> > Sent: Friday, February 06, 2015 10:32 AM
> > To: Y M
> > Cc: Vona, Steven A CIV NSWCCD Philadelphia, 10411; snort-users
> > Subject: Re: [Snort-users] Disabling Rules via disablesid.conf
> >
> > Also, make sure that your snort.conf is actually pointing to the file(s)
> being created/edited by pulledpork. The current registered version of
> bad_traffic.rules doesn't have any rules in it, so this makes me wonder if
> your snort.conf isn't pointed at the correct rule file(s).
> >
> > On Fri, Feb 6, 2015 at 9:30 AM, Y M <snort at ...15979...> wrote:
> >
> >
> >
> >
> > > From: steven.vona at ...7622...
> > > To: snort at ...15979...
> > > CC: snort-users at lists.sourceforge.net
> > > Subject: RE: [Snort-users] Disabling Rules via disablesid.conf
> > > Date: Fri, 6 Feb 2015 14:16:22 +0000
> > >
> > > Thanks for the heads up. I followed your troubleshooting steps and I
> found the offending alert in bad_traffic.rules file. I deleted the line and
> it looks like they are disabled now.
> >
> > # Glad that you found the source of the issue. Just keep in mind that
> manual changes to .rules files, i.e.: deleting/commenting rules, will be
> overridden by the next rules update. Just a wild guess here, but from what
> you said you may have these two rules in multiple .rules files, which
> eventually are included in snort.conf. When running Snort, does the startup
> messages indicate anything about duplicate rules? Just to further verify.
> >
> > >
> > > Thanks again.
> > >
> > > -----Original Message-----
> > > From: Y M [mailto:snort at ...15979...]
> > > Sent: Friday, February 06, 2015 2:16 AM
> > > To: Vona, Steven A CIV NSWCCD Philadelphia, 10411
> > > Cc: snort-users
> > > Subject: RE: [Snort-users] Disabling Rules via disablesid.conf
> > >
> > > Comments inline.
> > >
> > >
> > > From: steven.vona at ...7622...
> > > To: snort-users at lists.sourceforge.net
> > > Date: Thu, 5 Feb 2015 20:47:40 +0000
> > > Subject: [Snort-users] Disabling Rules via disablesid.conf
> > >
> > >
> > > I have Snort running on a few sensors around our network. We have
> subscriptions for the rules and we use pulledpork to download the rules
> daily.
> > >
> > > I am not attempting to turn the rules a little bit to disable some
> items that we do not need to see. I put these in disablesid.conf file and
> when I run pulled pork I see:
> > >
> > > Processing /etc/snort/disablesid.conf....
> > > Disabled 3:21355
> > > Disabled 3:19187
> > > Modified 2 rules
> > > Done
> > >
> > > So it looks like it is disabling the rule, however I am still
> receiving alerts for the rule in my database.
> > >
> > > Any ideas?
> > > ## Some ideas to troubleshoot: 1) verify that the same sids are not
> included in the enablesid.conf (lame but why not). 2) Has the order in
> which PulledPork processes rules been changed?. 3) if you grep for the sids
> from the snort.rules (given you reconcile rules vi PulledPork), do they
> exist? 4) Are these two rules included in another .rules file (local.rules
> or so)?
> > >
> > >
> > > Additional info:
> > >
> > > ,,_ -*> Snort! <*-
> > > o" )~ Version 2.9.6.2 GRE (Build 77)
> > > '''' By Martin Roesch & The Snort Team:
> http://www.snort.org/snort/snort-team
> > > Copyright (C) 2014 Cisco and/or its affiliates. All rights reserved.
> > > Copyright (C) 1998-2013 Sourcefire, Inc., et al.
> > > Using libpcap version 1.3.0
> > > Using PCRE version: 7.8 2008-09-05
> > > Using ZLIB version: 1.2.3
> > >
> > >
> ------------------------------------------------------------------------------
> Dive into the World of Parallel Programming. The Go Parallel Website,
> sponsored by Intel and developed in partnership with Slashdot Media, is
> your hub for all things parallel software development, from weekly thought
> leadership blogs to news, videos, case studies, tutorials and more. Take a
> look and join the conversation now. http://goparallel.sourceforge.net/
> > > _______________________________________________ Snort-users mailing
> list Snort-users at lists.sourceforge.net Go to this URL to change user
> options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list
> archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
> >
> >
> >
> ------------------------------------------------------------------------------
> > Dive into the World of Parallel Programming. The Go Parallel Website,
> > sponsored by Intel and developed in partnership with Slashdot Media, is
> your
> > hub for all things parallel software development, from weekly thought
> > leadership blogs to news, videos, case studies, tutorials and more. Take
> a
> > look and join the conversation now. http://goparallel.sourceforge.net/
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> >
> > Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
> >
> >
> >
> >
> >
> >
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20150206/43f52fb1/attachment.html>


More information about the Snort-users mailing list