Snort mailing list archives
Re: FATAL ERROR - Preproc Rule Help - rule duplicates
From: "Al Lewis (allewi)" <allewi () cisco com>
Date: Wed, 25 May 2016 21:07:55 +0000
Preprocessor and decoder rules are two different things. Each is included in its own separate file in the default snort download. include $PREPROC_RULE_PATH/preprocessor.rules include $PREPROC_RULE_PATH/decoder.rules If the rules are commented out (with a # symbol) they are disabled and not evaluated by snort. There is nothing else that needs to be done. You may want to check your pulledpork setup. Albert Lewis QA SNORT/Sourcefire SOURCEfire, Inc. now part of Cisco 9780 Patuxent Woods Drive Columbia, MD 21046 Phone: (office) 443.430.7112 Email: allewi () cisco com From: Matthew White [mailto:on3moda () gmail com] Sent: Wednesday, May 25, 2016 4:52 PM To: Al Lewis (allewi) Cc: snort-users () lists sourceforge net Subject: Re: [Snort-users] FATAL ERROR - Preproc Rule Help - rule duplicates If you are properly blocking the events from the preprocessor portion then they shouldn't event make it to the unified logs to be dumped by barnyard to the database correct? On Wed, May 25, 2016 at 3:43 PM, Matthew White <on3moda () gmail com<mailto:on3moda () gmail com>> wrote: Do you need to have decoder rules uncommented as well for this to work? On Wed, May 25, 2016 at 1:34 PM, Matthew White <on3moda () gmail com<mailto:on3moda () gmail com>> wrote: So pass, or # by editing the /etc/snort/preproc_rules/preprocessor.rules and editing the disablesid.conf. Didn't stop these events from being logged to the database. On Wed, May 25, 2016 at 12:56 PM, Matthew White <on3moda () gmail com<mailto:on3moda () gmail com>> wrote: Looks like pulledpork is pulling their own. So there is two places this can be set. Going to try and comment out and edit disablesid.conf. On Wed, May 25, 2016 at 12:50 PM, Al Lewis (allewi) <allewi () cisco com<mailto:allewi () cisco com>> wrote: The Snorby UI is outside our scope so maybe someone else can chime in. Putting the # in front of the rule disables it. Snort will have to be restarted for the changes to take effect. Good luck. Albert Lewis QA SNORT/Sourcefire SOURCEfire, Inc. now part of Cisco 9780 Patuxent Woods Drive Columbia, MD 21046 Phone: (office) 443.430.7112<tel:443.430.7112> Email: allewi () cisco com<mailto:allewi () cisco com> From: Matthew White [mailto:on3moda () gmail com<mailto:on3moda () gmail com>] Sent: Wednesday, May 25, 2016 1:27 PM To: Al Lewis (allewi) Cc: snort-users () lists sourceforge net<mailto:snort-users () lists sourceforge net> Subject: Re: [Snort-users] FATAL ERROR - Preproc Rule Help - rule duplicates Line 29 pass ( msg: "HI_CLIENT_OVERSIZE_DIR"; sid: 15; gid: 119; rev: 1; metadata: rule-type preproc, service http ; classtype:bad-unknown; reference:cve,2007-0774; reference:bugtraq,22791; reference:cve,2010-3281; reference:bugtraq,43338; reference:cve,2011-5007; ) When I put # in front of it. It was still showing in Snorby. On Wed, May 25, 2016 at 11:24 AM, Al Lewis (allewi) <allewi () cisco com<mailto:allewi () cisco com>> wrote: What does line 29 in your preprocessor.rules file look like? To disable the rule you need to put a ‘#’ in front of the line. Albert Lewis QA SNORT/Sourcefire SOURCEfire, Inc. now part of Cisco 9780 Patuxent Woods Drive Columbia, MD 21046 Phone: (office) 443.430.7112<tel:443.430.7112> Email: allewi () cisco com<mailto:allewi () cisco com> From: Matthew White [mailto:on3moda () gmail com<mailto:on3moda () gmail com>] Sent: Wednesday, May 25, 2016 12:18 PM To: snort-users () lists sourceforge net<mailto:snort-users () lists sourceforge net> Subject: [Snort-users] FATAL ERROR - Preproc Rule Help - rule duplicates I am trying to tune Snort at the processor level in the flow before info is processed to lighten the CPU usage. Steps I have tried to no avail 1. Commenting the rule out using #. 2. Changing alert to pass instead of alert to get the following error. FATAL ERROR: /etc/snort/preproc_rules/preprocessor.rules(29) GID 119 SID 15 in rule duplicates previous rule, with different type. Instructions I am following https://www.snort.org/faq/readme-decoder_preproc_rules Is there something else I am missing? Thanks, Matthew
------------------------------------------------------------------------------ Mobile security can be enabling, not merely restricting. Employees who bring their own devices (BYOD) to work are irked by the imposition of MDM restrictions. Mobile Device Manager Plus allows you to control only the apps on BYO-devices by containerizing them, leaving personal data untouched! https://ad.doubleclick.net/ddm/clk/304595813;131938128;j
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- FATAL ERROR - Preproc Rule Help - rule duplicates Matthew White (May 25)
- Re: FATAL ERROR - Preproc Rule Help - rule duplicates Al Lewis (allewi) (May 25)
- Re: FATAL ERROR - Preproc Rule Help - rule duplicates Matthew White (May 25)
- Re: FATAL ERROR - Preproc Rule Help - rule duplicates Al Lewis (allewi) (May 25)
- Re: FATAL ERROR - Preproc Rule Help - rule duplicates Matthew White (May 25)
- Re: FATAL ERROR - Preproc Rule Help - rule duplicates Matthew White (May 25)
- Re: FATAL ERROR - Preproc Rule Help - rule duplicates Matthew White (May 25)
- Re: FATAL ERROR - Preproc Rule Help - rule duplicates Matthew White (May 25)
- Re: FATAL ERROR - Preproc Rule Help - rule duplicates Al Lewis (allewi) (May 25)
- Re: FATAL ERROR - Preproc Rule Help - rule duplicates Matthew White (May 25)
- Re: FATAL ERROR - Preproc Rule Help - rule duplicates Al Lewis (allewi) (May 25)