Re: How to turn off a rule

[Jeremy Hoel <jthoel () gmail com>]

If its stupid and it works, its not stupid. In the top 10 results are the
answers to your problem.  But hey, you can ask the same question on the
mailing list and let someone get around to answering vs finding the answer
online and moving to your next problem.
On Oct 11, 2012 6:04 PM, "AllowOverride" <allowoverride () gmail com> wrote:

> i disagree... completely, google yields hundreds of hits, i cant believe
> you actually pulled a 2008 joke on me like that,, you are 2000 late
> dude.. lolol
>
> On Thu, 2012-10-11 at 21:52 +0000, Jeremy Hoel wrote:
> > Because the question you asked is easily answered by doing a google
> search.
> > You asked about how to disable a rule, I answered that, and then
> > pointed to conversations about the particular error you are seeing.
> > Because it's probably not a rule, but a preprocessor.
> >
> > And because google can be your friend if you use it, quick answers to
> > common problems..
> >
> >
> > On Thu, Oct 11, 2012 at 9:36 PM, AllowOverride <allowoverride () gmail com>
> wrote:
> > > why are you sending me to google?
> > >
> > > On Thu, 2012-10-11 at 19:39 +0000, Jeremy Hoel wrote:
> > > > You comment our a rule that you don't want, then restart snort for
> > > > that change to take effect.
> > > >
> > > > In the case of SSH protocal mismatches, it's probably not a rule, but
> > > > the preprocessor.. in which case;
> > > >
> > > > http://lmgtfy.com/?q=snort+ssh+Protocol+mismatch
> > > >
> > > > There's been a lot of talk about various way to disable to alert to
> > > > match your needs.
> > > >
> > > >
> > > >
> > > > On Thu, Oct 11, 2012 at 7:31 PM, AllowOverride <
> allowoverride () gmail com> wrote:
> > > > > ok, my understanding is to turn off a rule in snort.rules by simply
> > > > > putting a # or commenting it out, in front of the rule.
> > > > >
> > > > > my question is:
> > > > >
> > > > >             #22-(2-5946)
> > > > > [snort] ssh: Protocol mismatch
> > > > >
> > > > > turn off this rule.
> > > > >
> > > > > what do i look for, there are a shyt load of ssh rules.
> > > > > maybe look for leading line stating 22?
> > > > >
> > > > > or grep 5946, in snort.rules, right?
> > > > >
> > > > > thanks!
> > > > >
> > > > > ps this is a false positive, as i am 192.168.1.35 connecting to
> > > > > 192.168.1.14.. its me.
> ------------------------------------------------------------------------------
> > > > > Don't let slow site performance ruin your business. Deploy New
> Relic APM
> > > > > Deploy New Relic app performance management and know exactly
> > > > > what is happening inside your Ruby, Python, PHP, Java, and .NET app
> > > > > Try New Relic at no cost today and get our sweet Data Nerd shirt
> too!
> > > > > http://p.sf.net/sfu/newrelic-dev2dev
> > > > > _______________________________________________
> > > > > Snort-users mailing list
> > > > > Snort-users () lists sourceforge net
> > > > > Go to this URL to change user options or unsubscribe:
> > > > > https://lists.sourceforge.net/lists/listinfo/snort-users
> > > > > Snort-users list archive:
> > > > > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> > > > >
> > > > > Please visit http://blog.snort.org to stay current on all the
> latest Snort news!
> > >
------------------------------------------------------------------------------
Don't let slow site performance ruin your business. Deploy New Relic APM
Deploy New Relic app performance management and know exactly
what is happening inside your Ruby, Python, PHP, Java, and .NET app
Try New Relic at no cost today and get our sweet Data Nerd shirt too!
http://p.sf.net/sfu/newrelic-dev2dev

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!