Snort mailing list archives

Re: A question about disable sids with pulledpork

From: "Lay, James" <james.lay () wincofoods com>
Date: Mon, 14 Nov 2011 16:47:07 -0700

-----Original Message-----
From: carlopmart [mailto:carlopmart () gmail com]
Sent: Monday, November 14, 2011 4:34 PM
To: snort-users () lists sourceforge net
Subject: Re: [Snort-users] A question about disable sids with

pulledpork


On 11/14/2011 07:26 PM, JJ Cummings wrote:

It is, look into the pcre capability for disablesid.

Sent from the iRoad


Thanks JJC. I can disabled most of all except two rules from
web-misc.rules: sid:18318 and sid:17748. I have tried inserting this

in

disable.conf:

3:17748,3:18318

  .. and it doesn't works ... then I have tried this:

pcre:ssl_version

  ... adn it doesn't works

  What am I doing worng??


Try:

1:17748,1:18318

James

------------------------------------------------------------------------------
RSA(R) Conference 2012
Save $700 by Nov 18
Register now
http://p.sf.net/sfu/rsa-sfdev2dev1
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Current thread:

A question about disable sids with pulledpork carlopmart (Nov 14)
- Re: A question about disable sids with pulledpork JJ Cummings (Nov 14)
  - Re: A question about disable sids with pulledpork carlopmart (Nov 14)
    - Re: A question about disable sids with pulledpork Lay, James (Nov 14)
    - Re: A question about disable sids with pulledpork carlopmart (Nov 14)
    - Re: A question about disable sids with pulledpork JJ Cummings (Nov 14)
    - Re: A question about disable sids with pulledpork carlopmart (Nov 15)