Snort mailing list archives

Re: Disabling Rules via disablesid.conf

From: "Vona, Steven A CIV NSWCCD Philadelphia, 10411" <steven.vona () navy mil>
Date: Fri, 6 Feb 2015 16:54:26 +0000

I have snort.conf pointing to so_rules directory which holds bad_traffic.rules.

It looks like my so_rules directory hasn't been updated since 2012.  Are these needed?

-----Original Message-----
From: Jason Wallace [mailto:jason.r.wallace () gmail com] 
Sent: Friday, February 06, 2015 10:32 AM
To: Y M
Cc: Vona, Steven A CIV NSWCCD Philadelphia, 10411; snort-users
Subject: Re: [Snort-users] Disabling Rules via disablesid.conf

Also, make sure that your snort.conf is actually pointing to the file(s) being created/edited by pulledpork. The 
current registered version of bad_traffic.rules doesn't have any rules in it, so this makes me wonder if your 
snort.conf isn't pointed at the correct rule file(s).

On Fri, Feb 6, 2015 at 9:30 AM, Y M <snort () outlook com> wrote:




        > From: steven.vona () navy mil
        > To: snort () outlook com
        > CC: snort-users () lists sourceforge net
        > Subject: RE: [Snort-users] Disabling Rules via disablesid.conf
        > Date: Fri, 6 Feb 2015 14:16:22 +0000
        > 
        > Thanks for the heads up. I followed your troubleshooting steps and I found the offending alert in 
bad_traffic.rules file. I deleted the line and it looks like they are disabled now.

        # Glad that you found the source of the issue. Just keep in mind that manual changes to .rules files, i.e.: 
deleting/commenting rules, will be overridden by the next rules update. Just a wild guess here, but from what you said 
you may have these two rules in multiple .rules files, which eventually are included in snort.conf. When running Snort, 
does the startup messages indicate anything about duplicate rules? Just to further verify.

        > 
        > Thanks again.
        > 
        > -----Original Message-----
        > From: Y M [mailto:snort () outlook com] 
        > Sent: Friday, February 06, 2015 2:16 AM
        > To: Vona, Steven A CIV NSWCCD Philadelphia, 10411
        > Cc: snort-users
        > Subject: RE: [Snort-users] Disabling Rules via disablesid.conf
        > 
        > Comments inline.
        > 
        > 
        > From: steven.vona () navy mil
        > To: snort-users () lists sourceforge net
        > Date: Thu, 5 Feb 2015 20:47:40 +0000
        > Subject: [Snort-users] Disabling Rules via disablesid.conf
        > 
        > 
        > I have Snort running on a few sensors around our network. We have subscriptions for the rules and we use 
pulledpork to download the rules daily.
        > 
        > I am not attempting to turn the rules a little bit to disable some items that we do not need to see. I put 
these in disablesid.conf file and when I run pulled pork I see:
        > 
        > Processing /etc/snort/disablesid.conf....
        > Disabled 3:21355
        > Disabled 3:19187
        > Modified 2 rules
        > Done
        > 
        > So it looks like it is disabling the rule, however I am still receiving alerts for the rule in my database.
        > 
        > Any ideas? 
        > ## Some ideas to troubleshoot: 1) verify that the same sids are not included in the enablesid.conf (lame but 
why not). 2) Has the order in which PulledPork processes rules been changed?. 3) if you grep for the sids from the 
snort.rules (given you reconcile rules vi PulledPork), do they exist? 4) Are these two rules included in another .rules 
file (local.rules or so)?
        > 
        > 
        > Additional info:
        > 
        > ,,_ -*> Snort! <*-
        > o" )~ Version 2.9.6.2 GRE (Build 77) 
        > '''' By Martin Roesch & The Snort Team: http://www.snort.org/snort/snort-team
        > Copyright (C) 2014 Cisco and/or its affiliates. All rights reserved.
        > Copyright (C) 1998-2013 Sourcefire, Inc., et al.
        > Using libpcap version 1.3.0
        > Using PCRE version: 7.8 2008-09-05
        > Using ZLIB version: 1.2.3
        > 
        > ------------------------------------------------------------------------------ Dive into the World of 
Parallel Programming. The Go Parallel Website, sponsored by Intel and developed in partnership with Slashdot Media, is 
your hub for all things parallel software development, from weekly thought leadership blogs to news, videos, case 
studies, tutorials and more. Take a look and join the conversation now. http://goparallel.sourceforge.net/
        > _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net 
Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users 
Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit 
http://blog.snort.org to stay current on all the latest Snort news!
        

        ------------------------------------------------------------------------------
        Dive into the World of Parallel Programming. The Go Parallel Website,
        sponsored by Intel and developed in partnership with Slashdot Media, is your
        hub for all things parallel software development, from weekly thought
        leadership blogs to news, videos, case studies, tutorials and more. Take a
        look and join the conversation now. http://goparallel.sourceforge.net/
        _______________________________________________
        Snort-users mailing list
        Snort-users () lists sourceforge net
        Go to this URL to change user options or unsubscribe:
        https://lists.sourceforge.net/lists/listinfo/snort-users
        Snort-users list archive:
        http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
        
        Please visit http://blog.snort.org to stay current on all the latest Snort news!

Attachment: smime.p7s
Description:

------------------------------------------------------------------------------
Dive into the World of Parallel Programming. The Go Parallel Website,
sponsored by Intel and developed in partnership with Slashdot Media, is your
hub for all things parallel software development, from weekly thought
leadership blogs to news, videos, case studies, tutorials and more. Take a
look and join the conversation now. http://goparallel.sourceforge.net/

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Current thread:

Disabling Rules via disablesid.conf Vona, Steven A CIV NSWCCD Philadelphia, 10411 (Feb 05)
- Re: Disabling Rules via disablesid.conf Y M (Feb 05)
  - Re: Disabling Rules via disablesid.conf Vona, Steven A CIV NSWCCD Philadelphia, 10411 (Feb 06)
    - Re: Disabling Rules via disablesid.conf Y M (Feb 06)
    - Re: Disabling Rules via disablesid.conf Jason Wallace (Feb 06)
    - Re: Disabling Rules via disablesid.conf Vona, Steven A CIV NSWCCD Philadelphia, 10411 (Feb 06)
    - Re: Disabling Rules via disablesid.conf Jason Wallace (Feb 06)
    - Re: Disabling Rules via disablesid.conf Vona, Steven A CIV NSWCCD Philadelphia, 10411 (Feb 06)
    - Re: Disabling Rules via disablesid.conf Y M (Feb 06)
    - Re: Disabling Rules via disablesid.conf Jason Wallace (Feb 06)