Suricata Stream events - how to disable

2,344 views
Skip to first unread message

Brian Kellogg

unread,
Dec 17, 2013, 7:07:37 PM12/17/13
to securit...@googlegroups.com
I've tried disabling all of the stream event in /etc/nsm/rules/disablesid.conf via:

1:2210000-1:2219999

I made the change on the server and ran rule-update first on the server then on the sensor. I do not see the disablesid.conf file being downloaded to the sensor, not sure if it should as it is not included as a download in the rule-update script.


thanks,
Brian

Keith Butler

unread,
Dec 17, 2013, 9:24:14 PM12/17/13
to securit...@googlegroups.com

PullePork is using disablesid.conf to generate downloaded.rules, which is what gets pushed to your sensors. Check that file to see if those sid(s) are commented out.

Martin Paszkiewicz

unread,
Dec 19, 2013, 10:14:42 AM12/19/13
to securit...@googlegroups.com
Brian,
Take a look in pulledpork.conf and find/uncomment the line the line that reads: ignore=

Here is an example from my conf file:

ignore=web_client.rules,web_specific_apps.rules,snmp.rules,stream-events.rules,decoder-events.rules,rbn.rules,shellcode.rules,deleted.rules,dshield.rules,drop.rules,icmp_info.rules,icmp.rules,voip.rules,tftp.rules,scada.rules,scada_special.rules,telnet.rules,netbios.rules,rbn-malvertisers.rules,ciarmy.rules,web-client.rules,experimental.rules,attack_response.rules,deleted.rules,local.rules


---Notice stream-events.rules


I then run the following first after making a change:

sudo /usr/bin/pulledpork.pl -c /etc/nsm/pulledpork/pulledpork.conf -vvv


---which should tell you what has changed.

then I run: rule-update

Hope I didn't miss anything...

-martin

Brian Kellogg

unread,
Mar 26, 2014, 12:15:55 PM3/26/14
to securit...@googlegroups.com
forgot to thank you for this, so thanks as it seems to work
Reply all
Reply to author
Forward
0 new messages