Disable class



  • How can one disable whole class in GUI, for example Generic Protocol Command Decode?



  • @mdes:

    How can one disable whole class in GUI, for example Generic Protocol Command Decode?

    You can probably do this using regular expression matching in the disablesid.conf file on the SID MGMT tab.  It will take some careful experimentation to get your regular express syntax correct and be sure it's not too broad and flagging other desired rules for suppression.  I'm not a regex expert, though.  Anything I do with regex involves hours of Google searches for examples to copy …  :-[.

    Enable automatic SID managment by clicking the checkbox under the SID MGMT tab.  Then open up and look at the example [i]disablesid.conf file you find there.  Inside will be various examples.  Essentially what SID MGMT does is use PERL compatible regular expressions (pcre) matches to identify rules for further action.  Rules that match a pcre in the disablesid.conf file are auto-disabled, rules matching a pcre in the enablesid.conf file are automatically enabled, and rules matching a pcre in the modifysid.conf file are auto-modified according to the pcre text.

    Bill



  • If you have your sid mgmt set to enable,disable; then you should be able to add to your disablesid.conf:

    pcre:protocol-command-decode
    
    

    I'm not sure if you need to escape the '-' but it should work.



  • @bbrendon:

    If you have your sid mgmt set to enable,disable; then you should be able to add to your disablesid.conf:

    pcre:protocol-command-decode
    
    

    I'm not sure if you need to escape the '-' but it should work.

    Thanks @bbrendon for the regex example.  It should work.  I, too, am not sure about the need for escaping the dash.  The OP can check the results of the regex by looking at the list of active rules for the interface.  The active rules will be found in the interface subdirectory inside a sub-directory called rules in a file called suricata.rules (or snort.rules for Snort).  The path is like so for Suricata (Snort is the same, just replace "suricata" with "snort" in the path):

    /usr/local/etc/suricata/suricata_xxxyyyyyy/rules

    where xxx will be the physical interface name and yyyyyy will be a random GUID number.

    You can open the rules files you find there to see the actual enabled runtime rules for the interface.

    Bill