Snort

From NST Wiki
Revision as of 09:49, 5 March 2007 by Paul Blankenbaker (talk | contribs) (Fixed location of threshold.conf)
Jump to navigationJump to search

Snort Configuration Tips

Disabling Rules By ID

One should be able to disable rules by adding the rule ID to the file: "threshold.conf" (located in the snort rules directory). For example, adding the following to the end of the file: "threshold.conf" should disable the: "http_inspect: DOUBLE DECODING ATTACK" and "http_inspect: OVERSIZE REQUEST-URI DIRECTORY" rules:


suppress gen_id 119, sig_id 2 # disable http_inspect: DOUBLE DECODING ATTACK alerts
suppress gen_id 119, sig_id 15 # disable http_inspect: OVERSIZE REQUEST-URI DIRECTORY alerts

NOTE: The file: "threshold.conf" is not loaded by default. So, you will also need to modify your snort configuration file(s). Search for: "threshold.conf" and uncomment as shown below:


# Include any thresholding or suppression commands. See threshold.conf in the
# <snort src>/etc directory for details. Commands don't necessarily need to be
# contained in this conf, but a separate conf makes it easier to maintain them.
# Note for Windows users:  You are advised to make this an absolute path,
# such as:  c:\snort\etc\threshold.conf
# Uncomment if needed.
include $RULE_PATH/threshold.conf