Re: Disabling Rules via disablesid.conf

[Jason Wallace <jason.r.wallace () gmail com>]

Also, make sure that your snort.conf is actually pointing to the file(s)
being created/edited by pulledpork. The current registered version of
bad_traffic.rules
doesn't have any rules in it, so this makes me wonder if your snort.conf
isn't pointed at the correct rule file(s).

On Fri, Feb 6, 2015 at 9:30 AM, Y M <snort () outlook com> wrote:

> > From: steven.vona () navy mil
> > To: snort () outlook com
> > CC: snort-users () lists sourceforge net
> > Subject: RE: [Snort-users] Disabling Rules via disablesid.conf
> > Date: Fri, 6 Feb 2015 14:16:22 +0000
> >
> > Thanks for the heads up. I followed your troubleshooting steps and I
> found the offending alert in bad_traffic.rules file. I deleted the line and
> it looks like they are disabled now.
>
> # Glad that you found the source of the issue. Just keep in mind that
> manual changes to .rules files, i.e.: deleting/commenting rules, will be
> overridden by the next rules update. Just a wild guess here, but from what
> you said you may have these two rules in multiple .rules files, which
> eventually are included in snort.conf. When running Snort, does the startup
> messages indicate anything about duplicate rules? Just to further verify.
>
> > Thanks again.
> >
> > -----Original Message-----
> > From: Y M [mailto:snort () outlook com]
> > Sent: Friday, February 06, 2015 2:16 AM
> > To: Vona, Steven A CIV NSWCCD Philadelphia, 10411
> > Cc: snort-users
> > Subject: RE: [Snort-users] Disabling Rules via disablesid.conf
> >
> > Comments inline.
> >
> >
> > From: steven.vona () navy mil
> > To: snort-users () lists sourceforge net
> > Date: Thu, 5 Feb 2015 20:47:40 +0000
> > Subject: [Snort-users] Disabling Rules via disablesid.conf
> >
> >
> > I have Snort running on a few sensors around our network. We have
> subscriptions for the rules and we use pulledpork to download the rules
> daily.
> > I am not attempting to turn the rules a little bit to disable some items
> that we do not need to see. I put these in disablesid.conf file and when I
> run pulled pork I see:
> > Processing /etc/snort/disablesid.conf....
> > Disabled 3:21355
> > Disabled 3:19187
> > Modified 2 rules
> > Done
> >
> > So it looks like it is disabling the rule, however I am still receiving
> alerts for the rule in my database.
> > Any ideas?
> > ## Some ideas to troubleshoot: 1) verify that the same sids are not
> included in the enablesid.conf (lame but why not). 2) Has the order in
> which PulledPork processes rules been changed?. 3) if you grep for the sids
> from the snort.rules (given you reconcile rules vi PulledPork), do they
> exist? 4) Are these two rules included in another .rules file (local.rules
> or so)?
> > Additional info:
> >
> > ,,_ -*> Snort! <*-
> > o" )~ Version 2.9.6.2 GRE (Build 77)
> > '''' By Martin Roesch & The Snort Team:
> http://www.snort.org/snort/snort-team
> > Copyright (C) 2014 Cisco and/or its affiliates. All rights reserved.
> > Copyright (C) 1998-2013 Sourcefire, Inc., et al.
> > Using libpcap version 1.3.0
> > Using PCRE version: 7.8 2008-09-05
> > Using ZLIB version: 1.2.3
> ------------------------------------------------------------------------------
> Dive into the World of Parallel Programming. The Go Parallel Website,
> sponsored by Intel and developed in partnership with Slashdot Media, is
> your hub for all things parallel software development, from weekly thought
> leadership blogs to news, videos, case studies, tutorials and more. Take a
> look and join the conversation now. http://goparallel.sourceforge.net/
> > _______________________________________________ Snort-users mailing list
> Snort-users () lists sourceforge net Go to this URL to change user options
> or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
>
>
> ------------------------------------------------------------------------------
> Dive into the World of Parallel Programming. The Go Parallel Website,
> sponsored by Intel and developed in partnership with Slashdot Media, is
> your
> hub for all things parallel software development, from weekly thought
> leadership blogs to news, videos, case studies, tutorials and more. Take a
> look and join the conversation now. http://goparallel.sourceforge.net/
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
------------------------------------------------------------------------------
Dive into the World of Parallel Programming. The Go Parallel Website,
sponsored by Intel and developed in partnership with Slashdot Media, is your
hub for all things parallel software development, from weekly thought
leadership blogs to news, videos, case studies, tutorials and more. Take a
look and join the conversation now. http://goparallel.sourceforge.net/

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!