Re: FATAL ERROR - Preproc Rule Help - rule duplicates

[Matthew White <on3moda () gmail com>]

Looks like pulledpork is pulling their own. So there is two places this can
be set. Going to try and comment out and edit disablesid.conf.

On Wed, May 25, 2016 at 12:50 PM, Al Lewis (allewi) <allewi () cisco com>
wrote:

> The Snorby UI is outside our scope so maybe someone else can chime in.
>
>
>
> Putting the # in front of the rule disables it. Snort will have to be
> restarted for the changes to take effect.
>
>
>
> Good luck.
>
>
>
> *Albert Lewis*
>
> QA SNORT/Sourcefire
>
> SOURCE*fire*, Inc. now part of *Cisco*
>
> 9780 Patuxent Woods Drive
> Columbia, MD 21046
>
> Phone: (office) 443.430.7112
>
> Email: allewi () cisco com
>
>
>
> *From:* Matthew White [mailto:on3moda () gmail com]
> *Sent:* Wednesday, May 25, 2016 1:27 PM
> *To:* Al Lewis (allewi)
> *Cc:* snort-users () lists sourceforge net
> *Subject:* Re: [Snort-users] FATAL ERROR - Preproc Rule Help - rule
> duplicates
>
>
>
> Line 29
>
> pass ( msg: "HI_CLIENT_OVERSIZE_DIR"; sid: 15; gid: 119; rev: 1; metadata:
> rule-type preproc, service http ; classtype:bad-unknown;
> reference:cve,2007-0774; reference:bugtraq,22791; reference:cve,2010-3281;
> reference:bugtraq,43338; reference:cve,2011-5007; )
>
>
>
> When I put # in front of it. It was still showing in Snorby.
>
>
>
> On Wed, May 25, 2016 at 11:24 AM, Al Lewis (allewi) <allewi () cisco com>
> wrote:
>
> What does line 29 in your preprocessor.rules file look like?
>
>
>
> To disable the rule you need to put a ‘#’ in front of the line.
>
>
>
>
>
>
>
> *Albert Lewis*
>
> QA SNORT/Sourcefire
>
> SOURCE*fire*, Inc. now part of *Cisco*
>
> 9780 Patuxent Woods Drive
> Columbia, MD 21046
>
> Phone: (office) 443.430.7112
>
> Email: allewi () cisco com
>
>
>
> *From:* Matthew White [mailto:on3moda () gmail com]
> *Sent:* Wednesday, May 25, 2016 12:18 PM
> *To:* snort-users () lists sourceforge net
> *Subject:* [Snort-users] FATAL ERROR - Preproc Rule Help - rule duplicates
>
>
>
> I am trying to tune Snort at the processor level in the flow before info
> is processed to lighten the CPU usage.
>
>
>
> Steps I have tried to no avail
>
> 1. Commenting the rule out using #.
>
> 2. Changing alert to pass instead of alert to get the following error.
>
>
>
> FATAL ERROR: /etc/snort/preproc_rules/preprocessor.rules(29) GID 119 SID
> 15 in rule duplicates previous rule, with different type.
>
>
>
> Instructions I am following
>
>
>
> https://www.snort.org/faq/readme-decoder_preproc_rules
>
>
>
> Is there something else I am missing?
>
>
>
> Thanks,
>
>
>
> Matthew
------------------------------------------------------------------------------
Mobile security can be enabling, not merely restricting. Employees who
bring their own devices (BYOD) to work are irked by the imposition of MDM
restrictions. Mobile Device Manager Plus allows you to control only the
apps on BYO-devices by containerizing them, leaving personal data untouched!
https://ad.doubleclick.net/ddm/clk/304595813;131938128;j

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!