Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Rule wont disable

From: Doug Burks <doug.burks () gmail com>
Date: Thu, 25 Feb 2016 07:16:16 -0500
Hi Luke,

Please see:

https://groups.google.com/d/topic/security-onion/ZAokmNMGNCo/discussion

https://groups.google.com/d/topic/security-onion/SDvSoNQlSiY/discussion

https://groups.google.com/d/topic/security-onion/-twsY91fRf4/discussion

On Thu, Feb 25, 2016 at 6:49 AM, Luke Ager <luke.ager () icloud com> wrote:

Hi guys.
Having trouble in SecOnion with a rule that simply wont be disabled :)
Maybe I am missing something. The rule in question is TMG Firewall Client
long host entry exploit attempt 1:19187.
it fires pretty regularly in my network and I've had a poke around and not
worried about the alerts.

I've always just used the threshold.conf to tune out most things but in this
case that didnt seem to work and so have also added to disabledsid.conf
within pulledpork directory.

In threshold.conf I have:
Suppress gen_id 1, sig_id 19187

and in disabledsid.conf I have:
1:19187,(more rules),(more rules)

Any help would be apreciated.

thanks
L

------------------------------------------------------------------------------
Site24x7 APM Insight: Get Deep Visibility into Application Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective actions now
Troubleshoot faster and improve end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=272487151&iu=/4140
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort
news!




-- 
Doug Burks
http://securityonion.net

------------------------------------------------------------------------------
Site24x7 APM Insight: Get Deep Visibility into Application Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective actions now
Troubleshoot faster and improve end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=272487151&iu=/4140
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: