Snort mailing list archives
Re: Preprocessor disabling question
From: SnortFan <SnortFan () yahoo com>
Date: Tue, 18 Feb 2014 16:56:17 -0500
If I place an entry in the disablesid.conf. For example: 129:12 It does take the preprocessor out of the snort.rules file. Would that be ok or am I going to break something? Thanks, Ed Sent from a mobile device.
On Feb 18, 2014, at 4:37 PM, SnortFan <SnortFan () yahoo com> wrote: Aren't they now rolled into the snort.rules file in the VRT-preprocessor Rules Category? I no longer push a preprocessor.rules file to my sensors. I'm using pulledpork v7. Thanks, Ed Sent from a mobile device.On Feb 18, 2014, at 3:11 PM, "Joel Esler (jesler)" <jesler () cisco com> wrote: On Feb 18, 2014, at 12:47 PM, SnortFan <SnortFan () yahoo com> wrote:Other than suppressing in the threshold.conf file on each sensor, what is the best way to disable a few of the preprocessors by Sid #? I've searched and nothing I'm reading is very clear.You could comment them out in preprocessor.rules.I'm using pulledpork, but would placing a disable in the disablesid.conf work for a preprocessor?I think so, but I’m not 100% on that, I’d defer that questions to JJ.I've read mention of modifying the snort.conf but I don't see how you would block an individual Sid. If the only option is the threshold.conf, is it possible to do an include statement in the file, so I would then push out a universal set of suppressions to all my sensors and beable to update them all at once.------------------------------------------------------------------------------ Managing the Performance of Cloud-Based Applications Take advantage of what the Cloud has to offer - Avoid Common Pitfalls. Read the Whitepaper. http://pubads.g.doubleclick.net/gampad/clk?id=121054471&iu=/4140/ostg.clktrk _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!------------------------------------------------------------------------------ Managing the Performance of Cloud-Based Applications Take advantage of what the Cloud has to offer - Avoid Common Pitfalls. Read the Whitepaper. http://pubads.g.doubleclick.net/gampad/clk?id=121054471&iu=/4140/ostg.clktrk _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------ Managing the Performance of Cloud-Based Applications Take advantage of what the Cloud has to offer - Avoid Common Pitfalls. Read the Whitepaper. http://pubads.g.doubleclick.net/gampad/clk?id=121054471&iu=/4140/ostg.clktrk
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Preprocessor disabling question SnortFan (Feb 18)
- Re: Preprocessor disabling question Joel Esler (jesler) (Feb 18)
- Re: Preprocessor disabling question SnortFan (Feb 18)
- Re: Preprocessor disabling question SnortFan (Feb 18)
- Re: Preprocessor disabling question Joel Esler (jesler) (Feb 19)
- Re: Preprocessor disabling question SnortFan (Feb 18)
- Re: Preprocessor disabling question Joel Esler (jesler) (Feb 18)