Snort mailing list archives
Re: Rule wont disable
From: Doug Burks <doug.burks () gmail com>
Date: Thu, 25 Feb 2016 07:16:16 -0500
Hi Luke, Please see: https://groups.google.com/d/topic/security-onion/ZAokmNMGNCo/discussion https://groups.google.com/d/topic/security-onion/SDvSoNQlSiY/discussion https://groups.google.com/d/topic/security-onion/-twsY91fRf4/discussion On Thu, Feb 25, 2016 at 6:49 AM, Luke Ager <luke.ager () icloud com> wrote:
Hi guys. Having trouble in SecOnion with a rule that simply wont be disabled :) Maybe I am missing something. The rule in question is TMG Firewall Client long host entry exploit attempt 1:19187. it fires pretty regularly in my network and I've had a poke around and not worried about the alerts. I've always just used the threshold.conf to tune out most things but in this case that didnt seem to work and so have also added to disabledsid.conf within pulledpork directory. In threshold.conf I have: Suppress gen_id 1, sig_id 19187 and in disabledsid.conf I have: 1:19187,(more rules),(more rules) Any help would be apreciated. thanks L ------------------------------------------------------------------------------ Site24x7 APM Insight: Get Deep Visibility into Application Performance APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month Monitor end-to-end web transactions and take corrective actions now Troubleshoot faster and improve end-user experience. Signup Now! http://pubads.g.doubleclick.net/gampad/clk?id=272487151&iu=/4140 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
-- Doug Burks http://securityonion.net ------------------------------------------------------------------------------ Site24x7 APM Insight: Get Deep Visibility into Application Performance APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month Monitor end-to-end web transactions and take corrective actions now Troubleshoot faster and improve end-user experience. Signup Now! http://pubads.g.doubleclick.net/gampad/clk?id=272487151&iu=/4140 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Rule wont disable Luke Ager (Feb 25)
- Re: Rule wont disable Doug Burks (Feb 25)