Snort mailing list archives

Re: How to turn off a rule

From: JJC <cummingsj () gmail com>
Date: Fri, 12 Oct 2012 12:41:54 -0600

As a quick note, suppressing an entire SID is pretty inefficient.. it only
suppresses the alert form being recorded, the rule itself still loads into
memory and traffic is still evaluated against it.  In almost every case
where you are generically suppressing a SID, you should instead be
disabling the SID.

JJC

On Fri, Oct 12, 2012 at 8:45 AM, Craft, Robert <Robert.Craft () atlanticare org

wrote:

There's always disabledsid.conf and/or threshold.conf

dsisabledsid is more of an OFF switch for a rule while threshold allows
tuning (and off as well)

threshold.conf examples:
These filter based on the source ip
suppress gen_id 1 , sig_id 2001689, track by_src, ip xxx.xxx.xxx.xxx
suppress gen_id 1 , sig_id 2001689, track by_src, ip xxx.xxx.xxx.xxx
suppress gen_id 1 , sig_id 2003068, track by_src, ip xxx.xxx.xxx.xxx
# engineer's SSH scans

This one is an off switch
suppress gen_id 1 , sig_id 2010936
# shutting up ET POLICY Suspicious inbound to Oracle SQL port 1521 alert
going off on any traffic

A disabledsid.conf entry looks more like this:
1:2010936
# shutting up ET POLICY Suspicious inbound to Oracle SQL port 1521 alert
going off on any traffic




------------------------------------------------------------------------------
Don't let slow site performance ruin your business. Deploy New Relic APM
Deploy New Relic app performance management and know exactly
what is happening inside your Ruby, Python, PHP, Java, and .NET app
Try New Relic at no cost today and get our sweet Data Nerd shirt too!
http://p.sf.net/sfu/newrelic-dev2dev
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest
Snort news!

------------------------------------------------------------------------------
Don't let slow site performance ruin your business. Deploy New Relic APM
Deploy New Relic app performance management and know exactly
what is happening inside your Ruby, Python, PHP, Java, and .NET app
Try New Relic at no cost today and get our sweet Data Nerd shirt too!
http://p.sf.net/sfu/newrelic-dev2dev

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Current thread:

Re: How to turn off a rule, (continued)
- - - Re: How to turn off a rule Jeremy Hoel (Oct 11)
    - Re: How to turn off a rule AllowOverride (Oct 11)
    - Re: How to turn off a rule AllowOverride (Oct 11)
    - Re: How to turn off a rule Michael Steele (Oct 11)
  - Re: How to turn off a rule AllowOverride (Oct 11)
    - Re: How to turn off a rule Jeremy Hoel (Oct 11)
    - Re: How to turn off a rule AllowOverride (Oct 11)
    - Re: How to turn off a rule Jeremy Hoel (Oct 11)
    - Re: How to turn off a rule AllowOverride (Oct 12)
    - Re: How to turn off a rule Craft, Robert (Oct 12)
    - Re: How to turn off a rule JJC (Oct 12)