Re: Disabling Snort signatures with Oinkmster

[waldo kitty <wkitty42 () windstream net>]

On 12/30/2010 08:13, J. L. Cabral wrote:
> If I wanto to disable the signature: SID 119-19 with:
>
> 119 is a generator ID
> 19 is the SID

this is an internal GID:SID pair... GID 119 is the http_inspect preprocessor...

> I suppose in oinkmaster.conf I have to add the line:

you cannot disable internal GID:SID pairs with oinkmaster... why? because 
oinkmaster disables rules by adding a "#" (hash) as the first character of the 
rule's line in the rules file... internal GID:SID pairs are not controlled this 
way...

> disablesid 19
>
> but this line disables all SID 19 signatures as:
>
> sid: 19; gid: 119;
> sid: 19; gid: 122;
> sid: 19; gid: 133;
>
> Or what can I do to disable just sid: 19; gid: 119; and not the rest ???

use the threshold file and suppress it... oinkmaster is /"only"/ for the 
management of the actual GID 1 rules textual files...

------------------------------------------------------------------------------
Learn how Oracle Real Application Clusters (RAC) One Node allows customers
to consolidate database storage, standardize their database environment, and, 
should the need arise, upgrade to a full multi-node Oracle RAC database 
without downtime or disruption
http://p.sf.net/sfu/oracle-sfdevnl
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users