Snort Rules - How to disable them
1,279 views
Skip to first unread message
Zo La
Mar 27, 2015, 3:39:29 PM3/27/15
to securit...@googlegroups.com
Hello,
I have several rules that i tried to disable and it didnt work. I want to disable them because i am getting so many alerts in short period of time.
Here is one of them:
telnet_pp: Subnegotiation Begin without matching subnegotation end
Generator ID is 126 and Sig. ID is 3.
I tried disabling it under the disablesid.conf (pulledpork) and i tried to suppress them under threshold.conf and it doesnt work.
Any ideas?
Thank you very much.
Zeke
I have several rules that i tried to disable and it didnt work. I want to disable them because i am getting so many alerts in short period of time.
Here is one of them:
telnet_pp: Subnegotiation Begin without matching subnegotation end
Generator ID is 126 and Sig. ID is 3.
I tried disabling it under the disablesid.conf (pulledpork) and i tried to suppress them under threshold.conf and it doesnt work.
Any ideas?
Thank you very much.
Zeke
Doug Burks
Mar 30, 2015, 1:05:50 PM3/30/15
to securit...@googlegroups.com
Hi Zeke,
What exactly did you try in /etc/nsm/rules/threshold.conf?
> --
> You received this message because you are subscribed to the Google Groups "security-onion" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
> To post to this group, send email to securit...@googlegroups.com.
> Visit this group at http://groups.google.com/group/security-onion.
> For more options, visit https://groups.google.com/d/optout.
--
Doug Burks
Need Security Onion Training or Commercial Support?
http://securityonionsolutions.com
What exactly did you try in /etc/nsm/rules/threshold.conf?
> You received this message because you are subscribed to the Google Groups "security-onion" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
> To post to this group, send email to securit...@googlegroups.com.
> Visit this group at http://groups.google.com/group/security-onion.
> For more options, visit https://groups.google.com/d/optout.
--
Doug Burks
Need Security Onion Training or Commercial Support?
http://securityonionsolutions.com
Zo La
Mar 30, 2015, 1:33:32 PM3/30/15
to securit...@googlegroups.com
Hi Doug,
Thanks for the reply.
I put the following:
suppress gen_id 129, sig_id 3
Thanks,
Zeke
Thanks for the reply.
I put the following:
suppress gen_id 129, sig_id 3
Thanks,
Zeke
Doug Burks
Mar 30, 2015, 1:39:38 PM3/30/15
to securit...@googlegroups.com
Your original email indicates that "Generator ID is 126" which doesn't
match your suppress line.
match your suppress line.
Zo La
Mar 30, 2015, 4:06:09 PM3/30/15
to securit...@googlegroups.com
I am sorry that was typo on my end. Meant to write 126.
suppress gen_id 126, sig_id 3
suppress gen_id 126, sig_id 3
Doug Burks
Mar 30, 2015, 4:09:00 PM3/30/15
to securit...@googlegroups.com
After adding that to /etc/nsm/rules/threshold.conf, did you then restart Snort?
Have you checked the Snort log file
(/var/log/nsm/HOSTNAME-INTERFACE/snortu-1.log) for any additional
clues?
Have you checked the Snort log file
(/var/log/nsm/HOSTNAME-INTERFACE/snortu-1.log) for any additional
clues?
Zo La
Apr 10, 2015, 12:35:23 PM4/10/15
to securit...@googlegroups.com
Thanks Doug. Restarting the server resolved the issue.
Thanks again,
Zeke
Thanks again,
Zeke
Reply all
Reply to author
Forward
0 new messages