Re: Disabling Rules via disablesid.conf

[Y M <snort () outlook com>]

Comments inline.

From: steven.vona () navy mil
To: snort-users () lists sourceforge net
Date: Thu, 5 Feb 2015 20:47:40 +0000
Subject: [Snort-users] Disabling Rules via disablesid.conf

I have Snort running on a few sensors around our network.  We have subscriptions for the rules and we use pulledpork to 
download the rules daily.
 
I am not attempting to turn the rules a little bit to disable some items that we do not need to see.  I put these in 
disablesid.conf file and when I run pulled pork I see:
 
Processing /etc/snort/disablesid.conf....
        Disabled 3:21355
        Disabled 3:19187
        Modified 2 rules
        Done
 
So it looks like it is disabling the rule, however I am still receiving alerts for the rule in my database.
 
Any ideas? ## Some ideas to troubleshoot: 1) verify that the same sids are not included in the enablesid.conf (lame but 
why not). 2) Has the order in which PulledPork processes rules been changed?. 3) if you grep for the sids from the 
snort.rules (given you reconcile rules vi PulledPork), do they exist? 4) Are these two rules included in another .rules 
file (local.rules or so)?
Additional info:
 
   ,,_     -*> Snort! <*-
  o"  )~   Version 2.9.6.2 GRE (Build 77) 
   ''''    By Martin Roesch & The Snort Team: http://www.snort.org/snort/snort-team
           Copyright (C) 2014 Cisco and/or its affiliates. All rights reserved.
           Copyright (C) 1998-2013 Sourcefire, Inc., et al.
           Using libpcap version 1.3.0
           Using PCRE version: 7.8 2008-09-05
           Using ZLIB version: 1.2.3

------------------------------------------------------------------------------
Dive into the World of Parallel Programming. The Go Parallel Website,
sponsored by Intel and developed in partnership with Slashdot Media, is your
hub for all things parallel software development, from weekly thought
leadership blogs to news, videos, case studies, tutorials and more. Take a
look and join the conversation now. http://goparallel.sourceforge.net/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!                                        

------------------------------------------------------------------------------
Dive into the World of Parallel Programming. The Go Parallel Website,
sponsored by Intel and developed in partnership with Slashdot Media, is your
hub for all things parallel software development, from weekly thought
leadership blogs to news, videos, case studies, tutorials and more. Take a
look and join the conversation now. http://goparallel.sourceforge.net/

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!