Snort mailing list archives

Re: Being killed by poor IE rules.

From: JJ Cummings <cummingsj () gmail com>
Date: Wed, 27 Jan 2010 10:17:02 -0700

you should be able to comment out the stub rule itself, you are saying that
this did not work?  Of course I have to ask, you did send a HUP to snort, or
restart altogether, correct?

On Wed, Jan 27, 2010 at 10:06 AM, evilghost () packetmail net <
evilghost () packetmail net> wrote:

Curious, what's the method to disable a singular GID3 rule without need to
do a
suppression?  Simply comment out the stub in $SO_RULE_PATH for the SID,
which is
GID3, that you want to disable?  I've got a few GID3's that are "map the
network" in my environment that I'd like to not incur the processing hit.

I tried commenting out the rule, for example, SID 13947 GID 3, to no avail.
 It
still fires.  Am I missing something?

-evilghost


Nigel Houghton wrote:

You can of course choose to not load the shared object libraries at
all. You can also choose to not load the .rules files, or just like
with regular rules, you can disable certain shared object rules by
commenting out the stub rule in the .rules files. Up to you which way
to go.



------------------------------------------------------------------------------
The Planet: dedicated and managed hosting, cloud storage, colocation
Stay online with enterprise data centers and the best network in the
business
Choose flexible plans and management services without long-term contracts
Personal 24x7 support from experience hosting pros just a phone call away.
http://p.sf.net/sfu/theplanet-com
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs

------------------------------------------------------------------------------
The Planet: dedicated and managed hosting, cloud storage, colocation
Stay online with enterprise data centers and the best network in the business
Choose flexible plans and management services without long-term contracts
Personal 24x7 support from experience hosting pros just a phone call away.
http://p.sf.net/sfu/theplanet-com

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs

Current thread:

Being killed by poor IE rules... Guise McAllaster (Jan 26)
- <Possible follow-ups>
- Re: Being killed by poor IE rules... Keith Butler (Jan 26)
  - Re: Being killed by poor IE rules... Matt Olney (Jan 26)
    - Re: Being killed by poor IE rules... Guise McAllaster (Jan 27)
    - Re: Being killed by poor IE rules... Matt Olney (Jan 27)
    - Re: Being killed by poor IE rules... Nigel Houghton (Jan 27)
    - Re: Being killed by poor IE rules. evilghost () packetmail net (Jan 27)
    - Re: Being killed by poor IE rules. JJ Cummings (Jan 27)
    - Re: Being killed by poor IE rules. evilghost () packetmail net (Jan 27)
    - Re: Being killed by poor IE rules. JJ Cummings (Jan 27)
    - Re: Being killed by poor IE rules. Nigel Houghton (Jan 27)
    - Re: Being killed by poor IE rules... Joel Esler (Jan 27)