Re: Help a Noob out

[Nigel Houghton <nhoughton () sourcefire com>]

On Tue, 10 May 2011 23:20:48 -0500, Gibson, Nathan J. (HSC) wrote:
> Not sure what I am missing here but I have “web-client” in my 
> disabledsid.conf for pulled pork. And its processed last but for some 
> reason this rule keeps getting turned back on.
>  
>  
> WARN - 1:15587 is re-enabled by a check of the http.doc flowbit!
>  
>  
> How does one go about “unsetting” a flowbit so pulled pork wont 
> re-enable it.

There are other rules that use that flowbit that aren't in the 
web-client category. specific-threats.rules for example.

If you do not want to see events from that rule, you can either look at 
an event_filter (see threshold.conf) or use "flowbits:noalert;" in the 
rule itself.

Alternatively, you can disable the rules that use that flowbit and it 
won't get switched on by PP.

--
Nigel Houghton
Head Mentalist
SF VRT Department of Intelligence Excellence
http://vrt-blog.snort.org/ && http://labs.snort.org/

------------------------------------------------------------------------------
Achieve unprecedented app performance and reliability
What every C/C++ and Fortran developer should know.
Learn how Intel has extended the reach of its next-generation tools
to help boost performance applications - inlcuding clusters.
http://p.sf.net/sfu/intel-dev2devmay
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users