Problem Disabling a Snort Rule

[Jim Campbell via Snort-users <snort-users () lists snort org>]

In my /etc/snort/disablesid.conf file I have specified 12 rules.

When I run barnyard2, it reports that while processing 
/etc/snort/disablesid.conf it has modified 11 rules and skipped 1 rule 
because it is already disabled.

For several months, the entry for sid:2018959, while specified in the 
disablesid.conf file isn't being disabled. The other 11 rules in 
disablesid.conf are being disabled.

I believe I know why this is happening but don't know what to do about 
it. Here's what I found.

One of the entries in disablesid.conf is for sid:2000419. I have these 
entries in numeric order so it is before the entry for sid:2018959.

The entry for sid:2018959 contains in part 
"reference:url,doc.emergingthreats.net/bin/view/Main/2000419;" This text 
is prior to "sid:2018959;"

I suspect that when barnyard2 is parsing the entry for 2018959 it first 
comes across 2000419 and since it has already disabled the rule for 
2000419 skips disabling 2018959.

Other rules have the number in the Reference: field the same as the Sid: 
field.

Thank you,

Jim Campbell




_______________________________________________
Snort-users mailing list
Snort-users () lists snort org
Go to this URL to change user options or unsubscribe:
https://lists.snort.org/mailman/listinfo/snort-users

        To unsubscribe, send an email to:
        snort-users-leave () lists snort org

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette