Snort mailing list archives

Re: Pulledpork doesn't disable some rules

From: JJC <cummingsj () gmail com>
Date: Tue, 15 Apr 2014 12:03:41 -0600

You could also change the flowbits set rule to a noalert


JJC


On Tue, Apr 15, 2014 at 12:28 AM, C. L. Martinez <carlopmart () gmail com>wrote:

On Mon, Apr 14, 2014 at 5:11 PM, waldo kitty <wkitty42 () windstream net>
wrote:

On 4/14/2014 3:32 AM, C. L. Martinez wrote:

Cleanup....
removed 55 temporary snort files or directories from /tmp/tha_rules!
Processing /data/config/etc/idpsuricata02/pulledpork/disablesid.conf....
Disabled 1:2009005
Disabled 1:2011582
Modified 2 rules
Done
Setting Flowbit State....
WARN - 1:2011582 is re-enabled by a check of the
ET.http.javaclient.vulnerable flowbit!

[...]

Uhmm .. How can I avoid this situation??


disable the rules that rely on that flowbit as well as the rule(s) that

set it...

--


Thanks waldo and YM. After seeing the different possibilities, I am
using threshold.conf to disable this alert.


------------------------------------------------------------------------------
Learn Graph Databases - Download FREE O'Reilly Book
"Graph Databases" is the definitive new guide to graph databases and their
applications. Written by three acclaimed leaders in the field,
this first edition is now available. Download your free book today!
http://p.sf.net/sfu/NeoTech
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest
Snort news!

------------------------------------------------------------------------------
Learn Graph Databases - Download FREE O'Reilly Book
"Graph Databases" is the definitive new guide to graph databases and their
applications. Written by three acclaimed leaders in the field,
this first edition is now available. Download your free book today!
http://p.sf.net/sfu/NeoTech

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Current thread:

Re: Pulledpork doesn't disable some rules C. L. Martinez (Apr 13)
- Re: Pulledpork doesn't disable some rules Y M (Apr 13)
  - Re: Pulledpork doesn't disable some rules C. L. Martinez (Apr 14)
    - Re: Pulledpork doesn't disable some rules C. L. Martinez (Apr 14)
    - Re: Pulledpork doesn't disable some rules Y M (Apr 14)
    - Re: Pulledpork doesn't disable some rules C. L. Martinez (Apr 14)
    - Re: Pulledpork doesn't disable some rules Y M (Apr 14)
    - Re: Pulledpork doesn't disable some rules waldo kitty (Apr 14)
    - Re: Pulledpork doesn't disable some rules C. L. Martinez (Apr 14)
    - Re: Pulledpork doesn't disable some rules JJC (Apr 15)