Snort mailing list archives
Re: How to turn off a rule
From: JJC <cummingsj () gmail com>
Date: Fri, 12 Oct 2012 12:41:54 -0600
As a quick note, suppressing an entire SID is pretty inefficient.. it only suppresses the alert form being recorded, the rule itself still loads into memory and traffic is still evaluated against it. In almost every case where you are generically suppressing a SID, you should instead be disabling the SID. JJC On Fri, Oct 12, 2012 at 8:45 AM, Craft, Robert <Robert.Craft () atlanticare org
wrote:
There's always disabledsid.conf and/or threshold.conf dsisabledsid is more of an OFF switch for a rule while threshold allows tuning (and off as well) threshold.conf examples: These filter based on the source ip suppress gen_id 1 , sig_id 2001689, track by_src, ip xxx.xxx.xxx.xxx suppress gen_id 1 , sig_id 2001689, track by_src, ip xxx.xxx.xxx.xxx suppress gen_id 1 , sig_id 2003068, track by_src, ip xxx.xxx.xxx.xxx # engineer's SSH scans This one is an off switch suppress gen_id 1 , sig_id 2010936 # shutting up ET POLICY Suspicious inbound to Oracle SQL port 1521 alert going off on any traffic A disabledsid.conf entry looks more like this: 1:2010936 # shutting up ET POLICY Suspicious inbound to Oracle SQL port 1521 alert going off on any traffic ------------------------------------------------------------------------------ Don't let slow site performance ruin your business. Deploy New Relic APM Deploy New Relic app performance management and know exactly what is happening inside your Ruby, Python, PHP, Java, and .NET app Try New Relic at no cost today and get our sweet Data Nerd shirt too! http://p.sf.net/sfu/newrelic-dev2dev _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------ Don't let slow site performance ruin your business. Deploy New Relic APM Deploy New Relic app performance management and know exactly what is happening inside your Ruby, Python, PHP, Java, and .NET app Try New Relic at no cost today and get our sweet Data Nerd shirt too! http://p.sf.net/sfu/newrelic-dev2dev
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Re: How to turn off a rule, (continued)
- Re: How to turn off a rule Jeremy Hoel (Oct 11)
- Re: How to turn off a rule AllowOverride (Oct 11)
- Re: How to turn off a rule AllowOverride (Oct 11)
- Re: How to turn off a rule Michael Steele (Oct 11)
- Re: How to turn off a rule AllowOverride (Oct 11)
- Re: How to turn off a rule Jeremy Hoel (Oct 11)
- Re: How to turn off a rule AllowOverride (Oct 11)
- Re: How to turn off a rule Jeremy Hoel (Oct 11)
- Re: How to turn off a rule AllowOverride (Oct 12)
- Re: How to turn off a rule Craft, Robert (Oct 12)
- Re: How to turn off a rule JJC (Oct 12)