Re: False positives(?) for spp_sip

[wkitty42--- via Snort-sigs <snort-sigs () lists snort org>]

On 4/20/20 10:20 AM, Pettersson, Emil wrote:
> Just to be sure, I found that we have multiples of snort.conf (this is on 
> pfSense I should add), there is I guess the “main” one at 
> /usr/local/etc/snort/snort.conf and then there are additional ones for each 
> interface that we have Snort enabled on (i.e. 
> /usr/local/etc/snort/snort_2591_em0/snort.conf). The latter seems to overwrite 
> any changes whenever the Snort service is restarted so I can’t comment out the 
> SIP pre-processor there, not sure if this is needed or if only the former is 
> used to determine what rules are used?

you need to figure out where the template is that is being used to generate 
those interface confs and comment out the sip processor in there...

if you need different conf settings for each interface (eg: one has sip and the 
others do not) then you need to figure out if pfsense can do custom templates 
for each template...


--
 NOTE: No off-list assistance is given without prior approval.
       *Please keep mailing list traffic on the list where it belongs!*
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists snort org
https://lists.snort.org/mailman/listinfo/snort-sigs

Please visit http://blog.snort.org for the latest news about Snort!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette

Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" 
https://snort.org/downloads/#rule-downloads";>emerging threats</a>!