Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: disabling specific snort rules

From: Roland RoLaNd <r_o_l_a_n_d () hotmail com>
Date: Thu, 24 Oct 2013 16:42:03 +0200

Thank you james,that did it for me.
another question related to rules if i may ?i'm receiving high alert of false positive. using BASE i'm getting 
thousands of alerts to a specific destination which is my own remote server.may i ask of a way to exclude certain 
destinations (IPs or ports)  from triggering alerts?
From: jlay () slave-tothe-box net
Date: Thu, 24 Oct 2013 04:33:20 -0600
To: snort-users () lists sourceforge net
Subject: Re: [Snort-users] disabling specific snort rules


On Oct 24, 2013, at 3:18 AM, Roland RoLaNd <r_o_l_a_n_d () hotmail com> wrote:All,
I configured pulledpork to retrieve rules and it's working as expected.Can someone please guide me on a best practice 
to edit such rules to enable/disable certain types?previously, rules were divided by type under rules/* but now they 
all exist in one file which is snort.rules 
Any advice on how to proceed would be appreciated.
Best,
Roland 
Roland,
If you’re doing single rules it’s in your disabledsid or droppedsid conf files.  If you’re wanting to not use whole 
rulesets, add them comma separated in your pulled pork.conf file in the ignore= line.
James

------------------------------------------------------------------------------
October Webinars: Code for Performance
Free Intel webinars can help you accelerate application performance.
Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from 
the latest Intel processors and coprocessors. See abstracts and register >
http://pubads.g.doubleclick.net/gampad/clk?id=60135991&iu=/4140/ostg.clktrk
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!                                        
  
------------------------------------------------------------------------------
October Webinars: Code for Performance
Free Intel webinars can help you accelerate application performance.
Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from 
the latest Intel processors and coprocessors. See abstracts and register >
http://pubads.g.doubleclick.net/gampad/clk?id=60135991&iu=/4140/ostg.clktrk
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: