Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Mass disable Snort rules

    IDS/IPS
    2
    4
    1026
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J
      jeffhammett last edited by

      I want to disable a number of Snort rules without disabling the entire category.

      I have a list of the GIDs and SIDs (and they are all sequential). Is there a command I can run or a way to add them to a config file without having to manually click to disable each one in the GUI?

      1 Reply Last reply Reply Quote 0
      • bmeeks
        bmeeks last edited by

        @jeffh:

        I want to disable a number of Snort rules without disabling the entire category.

        I have a list of the GIDs and SIDs (and they are all sequential). Is there a command I can run or a way to add them to a config file without having to manually click to disable each one in the GUI?

        You need to use the new SIG MGMT tab and its feature.  Read the comments in the included sample files you will find on that tab.  They show how to use the enablesid and disablesid configuration files.  This feature was tailor made for situations like you describe.

        Bill

        1 Reply Last reply Reply Quote 0
        • J
          jeffhammett last edited by

          @bmeeks:

          @jeffh:

          I want to disable a number of Snort rules without disabling the entire category.

          I have a list of the GIDs and SIDs (and they are all sequential). Is there a command I can run or a way to add them to a config file without having to manually click to disable each one in the GUI?

          You need to use the new SIG MGMT tab and its feature.  Read the comments in the included sample files you will find on that tab.  They show how to use the enablesid and disablesid configuration files.  This feature was tailor made for situations like you describe.

          Bill

          That worked perfectly, thanks!

          1 Reply Last reply Reply Quote 0
          • bmeeks
            bmeeks last edited by

            @jeffh:

            That worked perfectly, thanks!

            Glad it worked.  I added that feature a few revisions back, but it has not gotten a lot of use yet so far as I can tell.  It offers an easy way to manage rules using various lines in the enablesid.conf, disablesid.conf and modifysid.conf files.  It can work with just SID values, or you can also use regular expression matching.  This functionality was ported over from the Oinkmaster and PulledPork utilities.

            Bill

            1 Reply Last reply Reply Quote 0
            • First post
              Last post