Snort mailing list archives
Preprocessor disabling question
From: SnortFan <SnortFan () yahoo com>
Date: Tue, 18 Feb 2014 12:47:41 -0500
Hi All,
Other than suppressing in the threshold.conf file on each sensor, what is the best way to disable a few of the
preprocessors by Sid #? I've searched and nothing I'm reading is very clear.
I'm using pulledpork, but would placing a disable in the disablesid.conf work for a preprocessor?
I've read mention of modifying the snort.conf but I don't see how you would block an individual Sid.
If the only option is the threshold.conf, is it possible to do an include statement in the file, so I would then push
out a universal set of suppressions to all my sensors and beable to update them all at once.
Thanks,
Ed
Sent from a mobile device.
------------------------------------------------------------------------------
Managing the Performance of Cloud-Based Applications
Take advantage of what the Cloud has to offer - Avoid Common Pitfalls.
Read the Whitepaper.
http://pubads.g.doubleclick.net/gampad/clk?id=121054471&iu=/4140/ostg.clktrk
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Preprocessor disabling question SnortFan (Feb 18)
- Re: Preprocessor disabling question Joel Esler (jesler) (Feb 18)
- Re: Preprocessor disabling question SnortFan (Feb 18)
- Re: Preprocessor disabling question SnortFan (Feb 18)
- Re: Preprocessor disabling question Joel Esler (jesler) (Feb 19)
- Re: Preprocessor disabling question SnortFan (Feb 18)
- Re: Preprocessor disabling question Joel Esler (jesler) (Feb 18)