Re: How to turn off a rule

["Michael Steele" <michaels () winsnort com>]

If he is using PP, then there is a specific process to use. Not sure at this
point how he is preforming rule management.

Michael...

-----Original Message-----
From: Jeremy Hoel [mailto:jthoel () gmail com] 
Sent: Thursday, October 11, 2012 3:40 PM
To: AllowOverride
Cc: snort-users
Subject: Re: [Snort-users] How to turn off a rule

You comment our a rule that you don't want, then restart snort for that
change to take effect.

In the case of SSH protocal mismatches, it's probably not a rule, but the
preprocessor.. in which case;

http://lmgtfy.com/?q=snort+ssh+Protocol+mismatch

There's been a lot of talk about various way to disable to alert to match
your needs.



On Thu, Oct 11, 2012 at 7:31 PM, AllowOverride <allowoverride () gmail com>
wrote:
> ok, my understanding is to turn off a rule in snort.rules by simply 
> putting a # or commenting it out, in front of the rule.
>
> my question is:
>
>             #22-(2-5946)
> [snort] ssh: Protocol mismatch
>
> turn off this rule.
>
> what do i look for, there are a shyt load of ssh rules.
> maybe look for leading line stating 22?
>
> or grep 5946, in snort.rules, right?
>
> thanks!
>
> ps this is a false positive, as i am 192.168.1.35 connecting to 
> 192.168.1.14.. its me.
>
>
> ----------------------------------------------------------------------
> -------- Don't let slow site performance ruin your business. Deploy 
> New Relic APM Deploy New Relic app performance management and know 
> exactly what is happening inside your Ruby, Python, PHP, Java, and 
> .NET app Try New Relic at no cost today and get our sweet Data Nerd 
> shirt too!
> http://p.sf.net/sfu/newrelic-dev2dev
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest Snort
news!

----------------------------------------------------------------------------
--
Don't let slow site performance ruin your business. Deploy New Relic APM
Deploy New Relic app performance management and know exactly what is
happening inside your Ruby, Python, PHP, Java, and .NET app Try New Relic at
no cost today and get our sweet Data Nerd shirt too!
http://p.sf.net/sfu/newrelic-dev2dev
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort
news!


------------------------------------------------------------------------------
Don't let slow site performance ruin your business. Deploy New Relic APM
Deploy New Relic app performance management and know exactly
what is happening inside your Ruby, Python, PHP, Java, and .NET app
Try New Relic at no cost today and get our sweet Data Nerd shirt too!
http://p.sf.net/sfu/newrelic-dev2dev
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!