Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Disabling Rules via disablesid.conf

From: Jason Wallace <jason.r.wallace () gmail com>
Date: Fri, 6 Feb 2015 13:05:38 -0500
Make sure you use 3:<sid> and not 1:<sid> in your PP files. All the
so_rules are gid:3.

On Fri, Feb 6, 2015 at 1:00 PM, Y M <snort () outlook com> wrote:





From: steven.vona () navy mil
To: jason.r.wallace () gmail com
CC: snort () outlook com; snort-users () lists sourceforge net
Subject: RE: [Snort-users] Disabling Rules via disablesid.conf
Date: Fri, 6 Feb 2015 17:33:02 +0000

How do they get updated if not by pulledpork? And if I do enable these,

how do I then disable certain SIDs that may show up in one of these files?

If not updating via PulledPork then you manually copy the .so rules and
associated .rules (text) from the ruleset tarball to their respective
directories, for example
cp so_rules/*.rules /path/to/snort/so_rules/
cp so_rules/precompiled/<OS_TYPE>/<ARCHI>/<SNORT_VERSION>/*.so
/path/to/snort/lib/snort_dynamicrules

You can disable them using their sids, taken from the associated text
rules file.





-----Original Message-----
From: Jason Wallace [mailto:jason.r.wallace () gmail com]
Sent: Friday, February 06, 2015 12:18 PM
To: Vona, Steven A CIV NSWCCD Philadelphia, 10411
Cc: Y M; snort-users
Subject: Re: [Snort-users] Disabling Rules via disablesid.conf

Yes, you should enable these. There are options in pulledpork.conf to

handle those. Look for "sorule_path" and "distro" in pulledpork.conf and
makes sure you are not passing -T on the command line.


On Fri, Feb 6, 2015 at 11:54 AM, Vona, Steven A CIV NSWCCD Philadelphia,

10411 <steven.vona () navy mil> wrote:



I have snort.conf pointing to so_rules directory which holds

bad_traffic.rules.


It looks like my so_rules directory hasn't been updated since 2012. Are

these needed?



-----Original Message-----
From: Jason Wallace [mailto:jason.r.wallace () gmail com]
Sent: Friday, February 06, 2015 10:32 AM
To: Y M
Cc: Vona, Steven A CIV NSWCCD Philadelphia, 10411; snort-users
Subject: Re: [Snort-users] Disabling Rules via disablesid.conf

Also, make sure that your snort.conf is actually pointing to the file(s)

being created/edited by pulledpork. The current registered version of
bad_traffic.rules doesn't have any rules in it, so this makes me wonder if
your snort.conf isn't pointed at the correct rule file(s).


On Fri, Feb 6, 2015 at 9:30 AM, Y M <snort () outlook com> wrote:





From: steven.vona () navy mil
To: snort () outlook com
CC: snort-users () lists sourceforge net
Subject: RE: [Snort-users] Disabling Rules via disablesid.conf
Date: Fri, 6 Feb 2015 14:16:22 +0000

Thanks for the heads up. I followed your troubleshooting steps and I

found the offending alert in bad_traffic.rules file. I deleted the line and
it looks like they are disabled now.


# Glad that you found the source of the issue. Just keep in mind that

manual changes to .rules files, i.e.: deleting/commenting rules, will be
overridden by the next rules update. Just a wild guess here, but from what
you said you may have these two rules in multiple .rules files, which
eventually are included in snort.conf. When running Snort, does the startup
messages indicate anything about duplicate rules? Just to further verify.




Thanks again.

-----Original Message-----
From: Y M [mailto:snort () outlook com]
Sent: Friday, February 06, 2015 2:16 AM
To: Vona, Steven A CIV NSWCCD Philadelphia, 10411
Cc: snort-users
Subject: RE: [Snort-users] Disabling Rules via disablesid.conf

Comments inline.


From: steven.vona () navy mil
To: snort-users () lists sourceforge net
Date: Thu, 5 Feb 2015 20:47:40 +0000
Subject: [Snort-users] Disabling Rules via disablesid.conf


I have Snort running on a few sensors around our network. We have

subscriptions for the rules and we use pulledpork to download the rules
daily.


I am not attempting to turn the rules a little bit to disable some

items that we do not need to see. I put these in disablesid.conf file and
when I run pulled pork I see:


Processing /etc/snort/disablesid.conf....
Disabled 3:21355
Disabled 3:19187
Modified 2 rules
Done

So it looks like it is disabling the rule, however I am still

receiving alerts for the rule in my database.


Any ideas?
## Some ideas to troubleshoot: 1) verify that the same sids are not

included in the enablesid.conf (lame but why not). 2) Has the order in
which PulledPork processes rules been changed?. 3) if you grep for the sids
from the snort.rules (given you reconcile rules vi PulledPork), do they
exist? 4) Are these two rules included in another .rules file (local.rules
or so)?



Additional info:

,,_ -*> Snort! <*-
o" )~ Version 2.9.6.2 GRE (Build 77)
'''' By Martin Roesch & The Snort Team:

http://www.snort.org/snort/snort-team

Copyright (C) 2014 Cisco and/or its affiliates. All rights reserved.
Copyright (C) 1998-2013 Sourcefire, Inc., et al.
Using libpcap version 1.3.0
Using PCRE version: 7.8 2008-09-05
Using ZLIB version: 1.2.3



------------------------------------------------------------------------------
Dive into the World of Parallel Programming. The Go Parallel Website,
sponsored by Intel and developed in partnership with Slashdot Media, is
your hub for all things parallel software development, from weekly thought
leadership blogs to news, videos, case studies, tutorials and more. Take a
look and join the conversation now. http://goparallel.sourceforge.net/

_______________________________________________ Snort-users mailing

list Snort-users () lists sourceforge net Go to this URL to change user
options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list
archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
Please visit http://blog.snort.org to stay current on all the latest
Snort news!





------------------------------------------------------------------------------

Dive into the World of Parallel Programming. The Go Parallel Website,
sponsored by Intel and developed in partnership with Slashdot Media, is

your

hub for all things parallel software development, from weekly thought
leadership blogs to news, videos, case studies, tutorials and more. Take

a

look and join the conversation now. http://goparallel.sourceforge.net/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest

Snort news!










------------------------------------------------------------------------------
Dive into the World of Parallel Programming. The Go Parallel Website,
sponsored by Intel and developed in partnership with Slashdot Media, is your
hub for all things parallel software development, from weekly thought
leadership blogs to news, videos, case studies, tutorials and more. Take a
look and join the conversation now. http://goparallel.sourceforge.net/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: