Snort mailing list archives

Previous By Date Next
Previous By Thread Next

AW: (Snort-users) Disabling rules without touching the origi

From: <sandro.poppi () wacker com>
Date: Wed, 02 Jan 2002 10:41:00 +0100
Marcus,

did you already try using pass rules? This helped me (and of course a lot of
others too ;). Adding the command line option -o is then required. For your
example it will show up as

pass tcp $HOME_NET any -> $PROXY_SERVERS $PROXY_PORTS

For more information take a look on the excellent snort manual.

HTH,
Sandro


Hello snorters,

I've spending hours trying to figure out how to disable
single rules from
the standard distribution by *only* changing snort.conf or
rules.local. I
do not want to touch any given standard rule, so updating the
rulesets will
be much easier.

My last attempt was the following (in rules.local)

ruletype donotshow {
        type alert
        output log_null
}
donotshow tcp $HOME_NET any -> $PROXY_SERVERS $PROXY_PORTS
(msg:"Disabled Proxy Scan Attempt";flags:S;)

I wanted to create a rule that is applied earlier, than the
standard rule,
but it didnt work. I also played with the sid in the rule and
I tried to
change the include order in snort.conf.. nothing.

Is commenting out a rule or changing the vars in a rule so it
doesnt match
anymore really the only way to archive this? How do you guys
update and
organize your rulesets then?

BTW: I'm using Snort 1.8.3, logging to a mysql db, but I dont
think that
matters here.

Since this is my first posting to this list please have
patience. I hope I
didnt overlook something obvious.

--
BCNU
Marcus

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users





_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: