Snort mailing list archives

Re: Being killed by poor IE rules.

From: Nigel Houghton <nhoughton () sourcefire com>
Date: Wed, 27 Jan 2010 12:22:51 -0500

On Wed, Jan 27, 2010 at 12:06 PM, evilghost () packetmail net
<evilghost () packetmail net> wrote:

Curious, what's the method to disable a singular GID3 rule without need to do a
suppression?  Simply comment out the stub in $SO_RULE_PATH for the SID, which is
GID3, that you want to disable?  I've got a few GID3's that are "map the
network" in my environment that I'd like to not incur the processing hit.

I tried commenting out the rule, for example, SID 13947 GID 3, to no avail.  It
still fires.  Am I missing something?

-evilghost


Nigel Houghton wrote:

You can of course choose to not load the shared object libraries at
all. You can also choose to not load the .rules files, or just like
with regular rules, you can disable certain shared object rules by
commenting out the stub rule in the .rules files. Up to you which way
to go.


------------------------------------------------------------------------------
The Planet: dedicated and managed hosting, cloud storage, colocation
Stay online with enterprise data centers and the best network in the business
Choose flexible plans and management services without long-term contracts
Personal 24x7 support from experience hosting pros just a phone call away.
http://p.sf.net/sfu/theplanet-com
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs



Yes, that's exactly how to do it. The shared object rules require the
corresponding stub rule to be present in order for the rule to be
active.

-- 
Nigel Houghton
Head Mentalist
SF VRT
http://vrt-sourcefire.blogspot.com && http://www.snort.org/vrt/

------------------------------------------------------------------------------
The Planet: dedicated and managed hosting, cloud storage, colocation
Stay online with enterprise data centers and the best network in the business
Choose flexible plans and management services without long-term contracts
Personal 24x7 support from experience hosting pros just a phone call away.
http://p.sf.net/sfu/theplanet-com
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs

Current thread:

Being killed by poor IE rules... Guise McAllaster (Jan 26)
- <Possible follow-ups>
- Re: Being killed by poor IE rules... Keith Butler (Jan 26)
  - Re: Being killed by poor IE rules... Matt Olney (Jan 26)
    - Re: Being killed by poor IE rules... Guise McAllaster (Jan 27)
    - Re: Being killed by poor IE rules... Matt Olney (Jan 27)
    - Re: Being killed by poor IE rules... Nigel Houghton (Jan 27)
    - Re: Being killed by poor IE rules. evilghost () packetmail net (Jan 27)
    - Re: Being killed by poor IE rules. JJ Cummings (Jan 27)
    - Re: Being killed by poor IE rules. evilghost () packetmail net (Jan 27)
    - Re: Being killed by poor IE rules. JJ Cummings (Jan 27)
    - Re: Being killed by poor IE rules. Nigel Houghton (Jan 27)
    - Re: Being killed by poor IE rules... Joel Esler (Jan 27)