Re: Finding and Removing Rules

["Al Lewis \(allewi\) via Snort-users" <snort-users () lists snort org>]

That’s a preprocessor rule:

cliffjumper:snort-2.9.9.0 allewi$ less preproc_rules/preprocessor.rules | grep "sid: 15; gid: 129"
alert ( msg: "STREAM5_BAD_RST"; sid: 15; gid: 129; rev: 1; metadata: rule-type preproc ; classtype:bad-unknown; )



Albert Lewis
ENGINEER.SOFTWARE ENGINEERING
SOURCEfire, Inc. now part of Cisco
Email: allewi () cisco com<mailto:allewi () cisco com>

From: Snort-users <snort-users-bounces () lists snort org<mailto:snort-users-bounces () lists snort org>> on behalf of 
"Jones, Christopher (Chris) (Maj) via Snort-users" <snort-users () lists snort org<mailto:snort-users () lists snort 
org>>
Reply-To: "Jones, Christopher (Chris) (Maj)" <cajones1 () nps edu<mailto:cajones1 () nps edu>>
Date: Friday, July 7, 2017 at 7:28 PM
To: "Snort-users () lists snort org<mailto:Snort-users () lists snort org>" <snort-users () lists snort 
org<mailto:snort-users () lists snort org>>
Subject: [Snort-users] Finding and Removing Rules

All,

There have been some difficult questions brought forward lately so here’s an easy one.  I’m commenting out rules that 
are generating a bunch of alerts that don’t appear to be risky.  Most rules are nicely named so I can find them in the 
appropriate rule file and comment them out.  This latest one is not so easy:

[**] [129:15:1] Reset outside window [**]
[Classification: Potentially Bad Traffic] [Priority: 2]

Two questions:

1.       How do I read the [129:15:1]?

2.       Is this rule in a regular rule file, preprocessor or other file?

Thanks very much.
CJ

_______________________________________________
Snort-users mailing list
Snort-users () lists snort org
Go to this URL to change user options or unsubscribe:
https://lists.snort.org/mailman/listinfo/snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!