Re: SSH MISMATCH

[Joel Esler <jesler () sourcefire com>]

If you are using the preprocessor.rules, you can simply disable the alerting rule.


On Oct 19, 2012, at 10:40 AM, "Castle, Shane" <scastle () bouldercounty org> wrote:

> You know, I could be wrong, but my understanding is that these must be turned off by tuning the preprocessor config 
> in the snort.conf, not in disablesid.conf, pulledpork, or by commenting out the rule. They can be suppressed using 
> threshold.conf, of course.
>
> Am I wrong?
>
> -- 
> Shane Castle
> Data Security Mgr, Boulder County IT
>
> -----Original Message-----
> From: Joel Esler [mailto:jesler () sourcefire com] 
> Sent: Friday, October 19, 2012 08:18
> To: AllowOverride
> Cc: Michael Steele; snort-users () lists sourceforge net
> Subject: Re: [Snort-users] SSH MISMATCH
>
> Use the disablesid.conf in pulledpork to turn off this particular rule.
>
>
> On Oct 18, 2012, at 9:53 PM, AllowOverride <allowoverride () gmail com> wrote:
>
> > Yes I am using pp. That's what is puzzling me. From what the other user
> > said, its built in.
> >
> > i guess i will try to recompile then negate it with snort command.
> >
> > just a few thoughts. thanks
> >
> >
> > n Thu, 2012-10-18 at 20:23 -0400, Michael Steele wrote:
> > > Aren't you using PulledPork? 
> > >
> > > Michael...
> > >
> > > -----Original Message-----
> > > From: AllowOverride [mailto:allowoverride () gmail com] 
> > > Sent: Wednesday, October 17, 2012 6:10 PM
> > > To: snort-users
> > > Subject: [Snort-users] SSH MISMATCH
> > >
> > > i am trying to turn off this alert in preproc_rules/preprocessor.rules:
> > >
> > > #alert ( msg: "SSH_EVENT_PROTOMISMATCH"; sid: 4; gid: 128; rev: 1;
> > > metadata: rule-type preproc, service ssh ;
> > > classtype:non-standard-protocol;)
> > >
> > > i commented it out, still it shows up in base.
> > >
> > > which leads to another logical question: 
> > >
> > > how can one find out where a rule lives in the first place.
> > > i figured out from base if i mouse over the snort portion it states:
> > > 128-4 which i figured you can grep 128 goto the file, 4 entries down, find
> > > it that way.
> > >
> > > 1. is there another easier way to find them?
> > >
> > > 2. lastly, how can i turn it off 128-4 for good.
> > >
> > > thanks
> > >
> > >
> > > ----------------------------------------------------------------------------
> > > --
> > > Everyone hates slow websites. So do we.
> > > Make your web apps faster with AppDynamics Download AppDynamics Lite for
> > > free today:
> > > http://p.sf.net/sfu/appdyn_sfd2d_oct
> > > _______________________________________________
> > > Snort-users mailing list
> > > Snort-users () lists sourceforge net
> > > Go to this URL to change user options or unsubscribe:
> > > https://lists.sourceforge.net/lists/listinfo/snort-users
> > > Snort-users list archive:
> > > http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> > >
> > > Please visit http://blog.snort.org to stay current on all the latest Snort
> > > news!
> > >
> > >
> > > ------------------------------------------------------------------------------
> > > Everyone hates slow websites. So do we.
> > > Make your web apps faster with AppDynamics
> > > Download AppDynamics Lite for free today:
> > > http://p.sf.net/sfu/appdyn_sfd2d_oct
> > > _______________________________________________
> > > Snort-users mailing list
> > > Snort-users () lists sourceforge net
> > > Go to this URL to change user options or unsubscribe:
> > > https://lists.sourceforge.net/lists/listinfo/snort-users
> > > Snort-users list archive:
> > > http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> > >
> > > Please visit http://blog.snort.org to stay current on all the latest Snort news!
> >
> >
> > ------------------------------------------------------------------------------
> > Everyone hates slow websites. So do we.
> > Make your web apps faster with AppDynamics
> > Download AppDynamics Lite for free today:
> > http://p.sf.net/sfu/appdyn_sfd2d_oct
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users () lists sourceforge net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> >
> > Please visit http://blog.snort.org to stay current on all the latest Snort news!
>
>
> ------------------------------------------------------------------------------
> Everyone hates slow websites. So do we.
> Make your web apps faster with AppDynamics
> Download AppDynamics Lite for free today:
> http://p.sf.net/sfu/appdyn_sfd2d_oct
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest Snort news!


------------------------------------------------------------------------------
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_sfd2d_oct
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!