• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Disable class

Scheduled Pinned Locked Moved IDS/IPS
4 Posts 3 Posters 1.2k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • M
    mdes
    last edited by Oct 5, 2017, 12:16 PM

    How can one disable whole class in GUI, for example Generic Protocol Command Decode?

    1 Reply Last reply Reply Quote 0
    • B
      bmeeks
      last edited by Oct 5, 2017, 12:58 PM Oct 5, 2017, 12:55 PM

      @mdes:

      How can one disable whole class in GUI, for example Generic Protocol Command Decode?

      You can probably do this using regular expression matching in the disablesid.conf file on the SID MGMT tab.  It will take some careful experimentation to get your regular express syntax correct and be sure it's not too broad and flagging other desired rules for suppression.  I'm not a regex expert, though.  Anything I do with regex involves hours of Google searches for examples to copy …  :-[.

      Enable automatic SID managment by clicking the checkbox under the SID MGMT tab.  Then open up and look at the example [i]disablesid.conf file you find there.  Inside will be various examples.  Essentially what SID MGMT does is use PERL compatible regular expressions (pcre) matches to identify rules for further action.  Rules that match a pcre in the disablesid.conf file are auto-disabled, rules matching a pcre in the enablesid.conf file are automatically enabled, and rules matching a pcre in the modifysid.conf file are auto-modified according to the pcre text.

      Bill

      1 Reply Last reply Reply Quote 0
      • B
        bbrendon
        last edited by Oct 6, 2017, 6:11 AM

        If you have your sid mgmt set to enable,disable; then you should be able to add to your disablesid.conf:

        pcre:protocol-command-decode

        I'm not sure if you need to escape the '-' but it should work.

        1 Reply Last reply Reply Quote 0
        • B
          bmeeks
          last edited by Oct 9, 2017, 5:43 PM

          @bbrendon:

          If you have your sid mgmt set to enable,disable; then you should be able to add to your disablesid.conf:

          pcre:protocol-command-decode

          I'm not sure if you need to escape the '-' but it should work.

          Thanks @bbrendon for the regex example.  It should work.  I, too, am not sure about the need for escaping the dash.  The OP can check the results of the regex by looking at the list of active rules for the interface.  The active rules will be found in the interface subdirectory inside a sub-directory called rules in a file called suricata.rules (or snort.rules for Snort).  The path is like so for Suricata (Snort is the same, just replace "suricata" with "snort" in the path):

          /usr/local/etc/suricata/suricata_xxxyyyyyy/rules

          where xxx will be the physical interface name and yyyyyy will be a random GUID number.

          You can open the rules files you find there to see the actual enabled runtime rules for the interface.

          Bill

          1 Reply Last reply Reply Quote 0
          4 out of 4
          • First post
            4/4
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
            This community forum collects and processes your personal information.
            consent.not_received