Mass disable Snort rules
-
I want to disable a number of Snort rules without disabling the entire category.
I have a list of the GIDs and SIDs (and they are all sequential). Is there a command I can run or a way to add them to a config file without having to manually click to disable each one in the GUI?
-
@jeffh:
I want to disable a number of Snort rules without disabling the entire category.
I have a list of the GIDs and SIDs (and they are all sequential). Is there a command I can run or a way to add them to a config file without having to manually click to disable each one in the GUI?
You need to use the new SIG MGMT tab and its feature. Read the comments in the included sample files you will find on that tab. They show how to use the enablesid and disablesid configuration files. This feature was tailor made for situations like you describe.
Bill
-
@jeffh:
I want to disable a number of Snort rules without disabling the entire category.
I have a list of the GIDs and SIDs (and they are all sequential). Is there a command I can run or a way to add them to a config file without having to manually click to disable each one in the GUI?
You need to use the new SIG MGMT tab and its feature. Read the comments in the included sample files you will find on that tab. They show how to use the enablesid and disablesid configuration files. This feature was tailor made for situations like you describe.
Bill
That worked perfectly, thanks!
-
@jeffh:
That worked perfectly, thanks!
Glad it worked. I added that feature a few revisions back, but it has not gotten a lot of use yet so far as I can tell. It offers an easy way to manage rules using various lines in the enablesid.conf, disablesid.conf and modifysid.conf files. It can work with just SID values, or you can also use regular expression matching. This functionality was ported over from the Oinkmaster and PulledPork utilities.
Bill
