Re: Snort Rule management

[Noah Dietrich <noah_dietrich () 86penny org>]

it all depends on how you are running snort and which version of PP you're
running.
If this is a rule that Is this rule one of your own local rules? If so:
comment it out in your local.rules file and re-run PulledPork re-create the
combined rules file.
if this rule is coming from one of the downloaded rulesets or a built-rule,
you have a few options. With PulledPork 2 you can use the disablesid.conf
<https://github.com/shirkdog/pulledpork/blob/master/etc/disablesid.conf>
file to disable this rule.
if you're running PulledPork3, this functionality is not yet implemented.
However, you could configure Snort to suppress this alert in it's output
(you can do this if you're running PP2 as well, since it's a Snot
configuration):

> From a similar email i responded to:

I'd recommend you look into using the *suppress *module in your snort.lua
file.  Details are in the snort reference manual
<https://github.com/snort3/snort3/releases/download/3.1.5.0/snort_reference.pdf>
(section
2.30), and there's an example here
<https://github.com/snort3/snort3_demo/blob/master/tests/framework/suppress/snort.lua>.
I haven't used this module, but i think you'd want to include something
like the following in your snort.lua file (you'll want to test this because
i haven't):
suppress = {
    {
        gid = 112,
        sid = 1,
    },
    {
        -- you can add other rules to ignore here
        gid =  1,
        sid = 12345,
    }
}

Noah

On Mon, Sep 6, 2021 at 3:14 PM Ian via Snort-sigs <
snort-sigs () lists snort org> wrote:

> Hi Marc,
> Aside from commenting/removing the rules out of your snort.conf file I'm
> not sure there is any "better way". Keep in mind I am only familiar with
> Snort in lab environments, my team has not been able to use snort in
> production.
> This page is my go-to though, I would look through the manuals section
> near the bottom. Snort.org Snort3 Resources <https://www.snort.org/snort3>
>
> Hope that helps some. Take care.
>
> -----------------------------------------------------------
> Ian
>
>
> Sent with ProtonMail <https://protonmail.com/> Secure Email.
>
> ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
> On Sunday, September 5th, 2021 at 9:29 AM, Marc <marc () mirabilisllc com>
> wrote:
>
> Hi,
>
>
>
> What would be a good reference on managing (not writing) Snort3 Rules?
> Specifically, I am running Snort 3.1.6 with SO rules and Pulled Pork.  I am
> having difficulty removing rules (e.g. a noisy ICMP rule ).  I am looking
> for a concise reference or alternately a tutorial on commenting out rules
> and recompiling them.  I have tried commenting out the rule in
> pulledpork.rules and local.rules and restarting Snort, but that didn’t do
> it.   Thank you.
>
>
>
> Regards,
>
> Marc
>
>
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs () lists snort org
> https://lists.snort.org/mailman/listinfo/snort-sigs
>
> Please visit http://blog.snort.org for the latest news about Snort!
>
> Please follow these rules:
> https://snort.org/faq/what-is-the-mailing-list-etiquette
>
> Visit the Snort.org to subscribe to the official Snort ruleset, make sure
> to stay up to date to catch the most <a href="
> https://snort.org/downloads/#rule-downloads";>emerging threats</a>!
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists snort org
https://lists.snort.org/mailman/listinfo/snort-sigs

Please visit http://blog.snort.org for the latest news about Snort!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette

Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a 
href=" https://snort.org/downloads/#rule-downloads";>emerging threats</a>!