At present I am commenting out rules I do not use.
This works fine until I update the rules, then obviously the rules that were
commented out will no longer be.
I thought that you could prevent rules being used by adding lines such as -
suppress gen_id 1, sig_id 1852 to
I know realise that just prevents the log/alert it doesn't prevent the rule
from running - I know this to be true as I am running in inline mode (with
drop) and lots of things do not work until I comment out the lines of the
My question is, Is there any config file I can tell snort to ignore a sid
id, so that when I replace the updated rules I am still whitelisting certain
Also I still notice that inline mode doesn't work with 64bit in the standard
snort version (184.108.40.206) - when will 64bit standard snort (inline) work with
64 bit ?
Running snort-inline svn 220.127.116.11 - Debian Lenny - AMD64
On 12/30/09 7:50 AM, Morgan Cox wrote:
> At present I am commenting out rules I do not use.
> This works fine until I update the rules, then obviously the rules
> that were commented out will no longer be.
use oinkmaster. you use oinkmaster to both update rules AND keep your
customizations (including disabling rules)
Its much better to disable the rule, same ram, cpu, buffer space, than
ignore it once its been triggered.
Michael Scheidell, CTO
Phone: 561-999-5000, x 1259
> *| *SECNAP Network Security Corporation
* Certified SNORT Integrator
* 2008-9 Hot Company Award Winner, World Executive Alliance
* Five-Star Partner Program 2009, VARBusiness
* Best Anti-Spam Product 2008, Network Products Guide
* King of Spam Filters, SC Magazine 2008
This email has been scanned and certified safe by SpammerTrap(r).
For Information please see http://www.spammertrap.com