Snort mailing list archives
Re: Snort Rule management
From: Noah Dietrich <noah_dietrich () 86penny org>
Date: Mon, 6 Sep 2021 18:15:49 +0200
it all depends on how you are running snort and which version of PP you're running. If this is a rule that Is this rule one of your own local rules? If so: comment it out in your local.rules file and re-run PulledPork re-create the combined rules file. if this rule is coming from one of the downloaded rulesets or a built-rule, you have a few options. With PulledPork 2 you can use the disablesid.conf <https://github.com/shirkdog/pulledpork/blob/master/etc/disablesid.conf> file to disable this rule. if you're running PulledPork3, this functionality is not yet implemented. However, you could configure Snort to suppress this alert in it's output (you can do this if you're running PP2 as well, since it's a Snot configuration):
From a similar email i responded to:
I'd recommend you look into using the *suppress *module in your snort.lua file. Details are in the snort reference manual <https://github.com/snort3/snort3/releases/download/3.1.5.0/snort_reference.pdf> (section 2.30), and there's an example here <https://github.com/snort3/snort3_demo/blob/master/tests/framework/suppress/snort.lua>. I haven't used this module, but i think you'd want to include something like the following in your snort.lua file (you'll want to test this because i haven't): suppress = { { gid = 112, sid = 1, }, { -- you can add other rules to ignore here gid = 1, sid = 12345, } } Noah On Mon, Sep 6, 2021 at 3:14 PM Ian via Snort-sigs < snort-sigs () lists snort org> wrote:
Hi Marc, Aside from commenting/removing the rules out of your snort.conf file I'm not sure there is any "better way". Keep in mind I am only familiar with Snort in lab environments, my team has not been able to use snort in production. This page is my go-to though, I would look through the manuals section near the bottom. Snort.org Snort3 Resources <https://www.snort.org/snort3> Hope that helps some. Take care. ----------------------------------------------------------- Ian Sent with ProtonMail <https://protonmail.com/> Secure Email. ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐ On Sunday, September 5th, 2021 at 9:29 AM, Marc <marc () mirabilisllc com> wrote: Hi, What would be a good reference on managing (not writing) Snort3 Rules? Specifically, I am running Snort 3.1.6 with SO rules and Pulled Pork. I am having difficulty removing rules (e.g. a noisy ICMP rule ). I am looking for a concise reference or alternately a tutorial on commenting out rules and recompiling them. I have tried commenting out the rule in pulledpork.rules and local.rules and restarting Snort, but that didn’t do it. Thank you. Regards, Marc _______________________________________________ Snort-sigs mailing list Snort-sigs () lists snort org https://lists.snort.org/mailman/listinfo/snort-sigs Please visit http://blog.snort.org for the latest news about Snort! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads">emerging threats</a>!
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists snort org https://lists.snort.org/mailman/listinfo/snort-sigs Please visit http://blog.snort.org for the latest news about Snort! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads">emerging threats</a>!
Current thread:
- Snort Rule management Marc (Sep 05)
- Re: Snort Rule management Ian via Snort-sigs (Sep 06)
- Re: Snort Rule management Noah Dietrich (Sep 06)
- Re: Snort Rule management Marc (Sep 06)
- Re: Snort Rule management Noah Dietrich (Sep 06)
- Re: Snort Rule management Ian via Snort-sigs (Sep 06)