[Snort-users] pulledpork

Shirkdog shirkdog at ...11827...
Tue Jun 28 09:20:12 EDT 2016


Checkout the latest code (marked 0.7.2-ALPHA) as there have been
updates to support signatures with gid != 1.

If it does not work, post an issue on github.

For your second question, I normally disable those through
threshold.conf, and that is something pulledpork does not do, but it
would be potentially an enhancement to include.

---
Michael Shirk


On Tue, Jun 28, 2016 at 9:11 AM, James <snort at ...16635...> wrote:
> Hello all,
>
> I'm a bit stuck with setting up pulledpork for the first time, specifically
> disabling certain rules. I've read flowbits can cause this, but that's not
> present in the first one I've checked. My pulledpork.conf points to the
> correct location for disablesid.conf, which I've listed out a few like:
>
> 3:19187 # PROTOCOL-DNS TMG Firewall Client long host entry exploit attempt
>
> When I re-run pulledpork.pl it says no rule changes are made and when I then
> restart Snort, I still see these rules firing.
>
> While I'm here trying to solve that I may as well ask another question: Can
> I also use disablesid.conf to disable things like certain http_inspect
> and/or stream5 events, which don't appear to exist in the snort.rules file
> pulledpork uses?
>
> Thanks for your wisdom.
>
> James
>
> ------------------------------------------------------------------------------
> Attend Shape: An AT&T Tech Expo July 15-16. Meet us at AT&T Park in San
> Francisco, CA to explore cutting-edge tech and listen to tech luminaries
> present their vision of the future. This family event has something for
> everyone, including kids. Get more information and register today.
> http://sdm.link/attshape
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest Snort
> news!




More information about the Snort-users mailing list