Snort mailing list archives
Re: Disabling Rules via disablesid.conf
From: Jason Wallace <jason.r.wallace () gmail com>
Date: Fri, 6 Feb 2015 13:05:38 -0500
Make sure you use 3:<sid> and not 1:<sid> in your PP files. All the so_rules are gid:3. On Fri, Feb 6, 2015 at 1:00 PM, Y M <snort () outlook com> wrote:
From: steven.vona () navy mil To: jason.r.wallace () gmail com CC: snort () outlook com; snort-users () lists sourceforge net Subject: RE: [Snort-users] Disabling Rules via disablesid.conf Date: Fri, 6 Feb 2015 17:33:02 +0000 How do they get updated if not by pulledpork? And if I do enable these,how do I then disable certain SIDs that may show up in one of these files? If not updating via PulledPork then you manually copy the .so rules and associated .rules (text) from the ruleset tarball to their respective directories, for example cp so_rules/*.rules /path/to/snort/so_rules/ cp so_rules/precompiled/<OS_TYPE>/<ARCHI>/<SNORT_VERSION>/*.so /path/to/snort/lib/snort_dynamicrules You can disable them using their sids, taken from the associated text rules file.-----Original Message----- From: Jason Wallace [mailto:jason.r.wallace () gmail com] Sent: Friday, February 06, 2015 12:18 PM To: Vona, Steven A CIV NSWCCD Philadelphia, 10411 Cc: Y M; snort-users Subject: Re: [Snort-users] Disabling Rules via disablesid.conf Yes, you should enable these. There are options in pulledpork.conf tohandle those. Look for "sorule_path" and "distro" in pulledpork.conf and makes sure you are not passing -T on the command line.On Fri, Feb 6, 2015 at 11:54 AM, Vona, Steven A CIV NSWCCD Philadelphia,10411 <steven.vona () navy mil> wrote:I have snort.conf pointing to so_rules directory which holdsbad_traffic.rules.It looks like my so_rules directory hasn't been updated since 2012. Arethese needed?-----Original Message----- From: Jason Wallace [mailto:jason.r.wallace () gmail com] Sent: Friday, February 06, 2015 10:32 AM To: Y M Cc: Vona, Steven A CIV NSWCCD Philadelphia, 10411; snort-users Subject: Re: [Snort-users] Disabling Rules via disablesid.conf Also, make sure that your snort.conf is actually pointing to the file(s)being created/edited by pulledpork. The current registered version of bad_traffic.rules doesn't have any rules in it, so this makes me wonder if your snort.conf isn't pointed at the correct rule file(s).On Fri, Feb 6, 2015 at 9:30 AM, Y M <snort () outlook com> wrote:From: steven.vona () navy mil To: snort () outlook com CC: snort-users () lists sourceforge net Subject: RE: [Snort-users] Disabling Rules via disablesid.conf Date: Fri, 6 Feb 2015 14:16:22 +0000 Thanks for the heads up. I followed your troubleshooting steps and Ifound the offending alert in bad_traffic.rules file. I deleted the line and it looks like they are disabled now.# Glad that you found the source of the issue. Just keep in mind thatmanual changes to .rules files, i.e.: deleting/commenting rules, will be overridden by the next rules update. Just a wild guess here, but from what you said you may have these two rules in multiple .rules files, which eventually are included in snort.conf. When running Snort, does the startup messages indicate anything about duplicate rules? Just to further verify.Thanks again. -----Original Message----- From: Y M [mailto:snort () outlook com] Sent: Friday, February 06, 2015 2:16 AM To: Vona, Steven A CIV NSWCCD Philadelphia, 10411 Cc: snort-users Subject: RE: [Snort-users] Disabling Rules via disablesid.conf Comments inline. From: steven.vona () navy mil To: snort-users () lists sourceforge net Date: Thu, 5 Feb 2015 20:47:40 +0000 Subject: [Snort-users] Disabling Rules via disablesid.conf I have Snort running on a few sensors around our network. We havesubscriptions for the rules and we use pulledpork to download the rules daily.I am not attempting to turn the rules a little bit to disable someitems that we do not need to see. I put these in disablesid.conf file and when I run pulled pork I see:Processing /etc/snort/disablesid.conf.... Disabled 3:21355 Disabled 3:19187 Modified 2 rules Done So it looks like it is disabling the rule, however I am stillreceiving alerts for the rule in my database.Any ideas? ## Some ideas to troubleshoot: 1) verify that the same sids are notincluded in the enablesid.conf (lame but why not). 2) Has the order in which PulledPork processes rules been changed?. 3) if you grep for the sids from the snort.rules (given you reconcile rules vi PulledPork), do they exist? 4) Are these two rules included in another .rules file (local.rules or so)?Additional info: ,,_ -*> Snort! <*- o" )~ Version 2.9.6.2 GRE (Build 77) '''' By Martin Roesch & The Snort Team:http://www.snort.org/snort/snort-teamCopyright (C) 2014 Cisco and/or its affiliates. All rights reserved. Copyright (C) 1998-2013 Sourcefire, Inc., et al. Using libpcap version 1.3.0 Using PCRE version: 7.8 2008-09-05 Using ZLIB version: 1.2.3------------------------------------------------------------------------------ Dive into the World of Parallel Programming. The Go Parallel Website, sponsored by Intel and developed in partnership with Slashdot Media, is your hub for all things parallel software development, from weekly thought leadership blogs to news, videos, case studies, tutorials and more. Take a look and join the conversation now. http://goparallel.sourceforge.net/_______________________________________________ Snort-users mailinglist Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!------------------------------------------------------------------------------Dive into the World of Parallel Programming. The Go Parallel Website, sponsored by Intel and developed in partnership with Slashdot Media, isyourhub for all things parallel software development, from weekly thought leadership blogs to news, videos, case studies, tutorials and more. Takealook and join the conversation now. http://goparallel.sourceforge.net/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latestSnort news!
------------------------------------------------------------------------------ Dive into the World of Parallel Programming. The Go Parallel Website, sponsored by Intel and developed in partnership with Slashdot Media, is your hub for all things parallel software development, from weekly thought leadership blogs to news, videos, case studies, tutorials and more. Take a look and join the conversation now. http://goparallel.sourceforge.net/
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Disabling Rules via disablesid.conf Vona, Steven A CIV NSWCCD Philadelphia, 10411 (Feb 05)
- Re: Disabling Rules via disablesid.conf Y M (Feb 05)
- Re: Disabling Rules via disablesid.conf Vona, Steven A CIV NSWCCD Philadelphia, 10411 (Feb 06)
- Re: Disabling Rules via disablesid.conf Y M (Feb 06)
- Re: Disabling Rules via disablesid.conf Jason Wallace (Feb 06)
- Re: Disabling Rules via disablesid.conf Vona, Steven A CIV NSWCCD Philadelphia, 10411 (Feb 06)
- Re: Disabling Rules via disablesid.conf Jason Wallace (Feb 06)
- Re: Disabling Rules via disablesid.conf Vona, Steven A CIV NSWCCD Philadelphia, 10411 (Feb 06)
- Re: Disabling Rules via disablesid.conf Y M (Feb 06)
- Re: Disabling Rules via disablesid.conf Jason Wallace (Feb 06)
- Re: Disabling Rules via disablesid.conf Vona, Steven A CIV NSWCCD Philadelphia, 10411 (Feb 06)
- Re: Disabling Rules via disablesid.conf Y M (Feb 05)