Menu
▾
▴
[Snort-inline-users] Correct way of suppressing / preventing / whitelisting rules (to avoid issues with rule updates)
|
From: Morgan C. <mor...@gm...> - 2009-12-30 12:50:56
|
Hi. At present I am commenting out rules I do not use. This works fine until I update the rules, then obviously the rules that were commented out will no longer be. I thought that you could prevent rules being used by adding lines such as - suppress gen_id 1, sig_id 1852 to /etc/snort/threshold.conf I know realise that just prevents the log/alert it doesn't prevent the rule from running - I know this to be true as I am running in inline mode (with drop) and lots of things do not work until I comment out the lines of the rules... My question is, Is there any config file I can tell snort to ignore a sid id, so that when I replace the updated rules I am still whitelisting certain rules ? Also I still notice that inline mode doesn't work with 64bit in the standard snort version (2.8.5.1) - when will 64bit standard snort (inline) work with 64 bit ? Running snort-inline svn 2.8.4.1 - Debian Lenny - AMD64 Cheers |
