[Snort-users] Rule wont disable

Doug Burks doug.burks at ...11827...
Thu Feb 25 07:16:16 EST 2016


Hi Luke,

Please see:

https://groups.google.com/d/topic/security-onion/ZAokmNMGNCo/discussion

https://groups.google.com/d/topic/security-onion/SDvSoNQlSiY/discussion

https://groups.google.com/d/topic/security-onion/-twsY91fRf4/discussion

On Thu, Feb 25, 2016 at 6:49 AM, Luke Ager <luke.ager at ...17469...> wrote:
> Hi guys.
> Having trouble in SecOnion with a rule that simply wont be disabled :)
> Maybe I am missing something. The rule in question is TMG Firewall Client
> long host entry exploit attempt 1:19187.
> it fires pretty regularly in my network and I've had a poke around and not
> worried about the alerts.
>
> I've always just used the threshold.conf to tune out most things but in this
> case that didnt seem to work and so have also added to disabledsid.conf
> within pulledpork directory.
>
> In threshold.conf I have:
> Suppress gen_id 1, sig_id 19187
>
> and in disabledsid.conf I have:
> 1:19187,(more rules),(more rules)
>
> Any help would be apreciated.
>
> thanks
> L
>
> ------------------------------------------------------------------------------
> Site24x7 APM Insight: Get Deep Visibility into Application Performance
> APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
> Monitor end-to-end web transactions and take corrective actions now
> Troubleshoot faster and improve end-user experience. Signup Now!
> http://pubads.g.doubleclick.net/gampad/clk?id=272487151&iu=/4140
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest Snort
> news!



-- 
Doug Burks
http://securityonion.net




More information about the Snort-users mailing list