Snort mailing list archives
Re: Being killed by poor IE rules.
From: Nigel Houghton <nhoughton () sourcefire com>
Date: Wed, 27 Jan 2010 12:22:51 -0500
On Wed, Jan 27, 2010 at 12:06 PM, evilghost () packetmail net <evilghost () packetmail net> wrote:
Curious, what's the method to disable a singular GID3 rule without need to do a suppression? Simply comment out the stub in $SO_RULE_PATH for the SID, which is GID3, that you want to disable? I've got a few GID3's that are "map the network" in my environment that I'd like to not incur the processing hit. I tried commenting out the rule, for example, SID 13947 GID 3, to no avail. It still fires. Am I missing something? -evilghost Nigel Houghton wrote:You can of course choose to not load the shared object libraries at all. You can also choose to not load the .rules files, or just like with regular rules, you can disable certain shared object rules by commenting out the stub rule in the .rules files. Up to you which way to go.------------------------------------------------------------------------------ The Planet: dedicated and managed hosting, cloud storage, colocation Stay online with enterprise data centers and the best network in the business Choose flexible plans and management services without long-term contracts Personal 24x7 support from experience hosting pros just a phone call away. http://p.sf.net/sfu/theplanet-com _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs
Yes, that's exactly how to do it. The shared object rules require the corresponding stub rule to be present in order for the rule to be active. -- Nigel Houghton Head Mentalist SF VRT http://vrt-sourcefire.blogspot.com && http://www.snort.org/vrt/ ------------------------------------------------------------------------------ The Planet: dedicated and managed hosting, cloud storage, colocation Stay online with enterprise data centers and the best network in the business Choose flexible plans and management services without long-term contracts Personal 24x7 support from experience hosting pros just a phone call away. http://p.sf.net/sfu/theplanet-com _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs
Current thread:
- Being killed by poor IE rules... Guise McAllaster (Jan 26)
- <Possible follow-ups>
- Re: Being killed by poor IE rules... Keith Butler (Jan 26)
- Re: Being killed by poor IE rules... Matt Olney (Jan 26)
- Re: Being killed by poor IE rules... Guise McAllaster (Jan 27)
- Re: Being killed by poor IE rules... Matt Olney (Jan 27)
- Re: Being killed by poor IE rules... Nigel Houghton (Jan 27)
- Re: Being killed by poor IE rules. evilghost () packetmail net (Jan 27)
- Re: Being killed by poor IE rules. JJ Cummings (Jan 27)
- Re: Being killed by poor IE rules. evilghost () packetmail net (Jan 27)
- Re: Being killed by poor IE rules. JJ Cummings (Jan 27)
- Re: Being killed by poor IE rules... Matt Olney (Jan 26)
- Re: Being killed by poor IE rules. Nigel Houghton (Jan 27)
- Re: Being killed by poor IE rules... Joel Esler (Jan 27)