[Snort-users] SSH MISMATCH

[AllowOverride]

i am trying to turn off this alert in preproc_rules/preprocessor.rules:

#alert ( msg: "SSH_EVENT_PROTOMISMATCH"; sid: 4; gid: 128; rev: 1;
metadata: rule-type preproc, service ssh ;
classtype:non-standard-protocol;)

i commented it out, still it shows up in base.

which leads to another logical question:

how can one find out where a rule lives in the first place.
i figured out from base if i mouse over the snort portion it states:
128-4 which i figured you can grep 128 goto the file, 4 entries down,
find it that way.

1. is there another easier way to find them?

2. lastly, how can i turn it off 128-4 for good.

thanks


------------------------------------------------------------------------------
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_sfd2d_oct
_______________________________________________
Snort-users mailing list
Snort...@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

[Jefferson, Shawn]

Pre-processors rules are "built-in" to snort, and when you compile snort you can specify that you want to enable pre-processor rules (I typically use --enable-sourcefire which enables some other options you'll most likely want as well.) Then you need to have the pre-processor rules files specified in your snort.conf as well. You can then disable rules in these files like you mention. Make sure to -HUP snort to get it to re-read the rule config (I'm pretty sure that works for pre-processor rules as well-someone correct me if I'm wrong.)

[Michael Steele]

Aren't you using PulledPork?

Michael...

[AllowOverride]

Yes I am using pp. That's what is puzzling me. From what the other user
said, its built in.

i guess i will try to recompile then negate it with snort command.

just a few thoughts. thanks

[Joel Esler]

Use the disablesid.conf in pulledpork to turn off this particular rule.

[Castle, Shane]

You know, I could be wrong, but my understanding is that these must be turned off by tuning the preprocessor config in the snort.conf, not in disablesid.conf, pulledpork, or by commenting out the rule. They can be suppressed using threshold.conf, of course.

Am I wrong?

--
Shane Castle
Data Security Mgr, Boulder County IT

[Joel Esler]

If you are using the preprocessor.rules, you can simply disable the alerting rule.

[AllowOverride]

Preproc implies "inline", i am not running inline, therefore, i shut
them off... with instructions in pulledpork.conf. i took # away as well
in preproccessor rules... IDS mode, it's a diff story/conf all together.
not there yet... eventually. have to figure out/read about inline
later..

thanks, enjoy

[waldo kitty]

On 10/20/2012 02:46, AllowOverride wrote:
>
>
> Preproc implies "inline",

sorry but no... "preproc" implies a "processor before another processor"...
depending on what you are wanting snort to look at and how you want it to see
it, they may be necessary...

> i am not running inline,

i do not run inline, either... never have...

> therefore, i shut them off...

eeewww...

> with instructions in pulledpork.conf. i took # away as well
> in preproccessor rules... IDS mode, it's a diff story/conf all together.
> not there yet... eventually. have to figure out/read about inline
> later..

it is my understanding that all inline really does is to place snort /in/ the
path of the traffic instead of out beside it watching it flow by... by being
inline, snort can then cause packets to be dropped by dropping them itself and
not passing them on to the original destination port...