[prev in list] [next in list] [prev in thread] [next in thread]
List: security-onion
Subject: Re: [security-onion] disablesid how to find gid?
From: Andrew Huang <ahuang () liquidweb ! com>
Date: 2019-11-22 15:19:03
Message-ID: be3abd14-b4e5-4c2c-ac5f-ef81402bb2ed () googlegroups ! com
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
ah didn't realize it's at the top of the section, thank you Wes.
On Friday, November 22, 2019 at 9:26:12 AM UTC-5, Wes wrote:
>
> Hi Andrew,
>
> If you look in /etc/nsm/rules/downloaded.rules, you'll see:
>
> # ----- Begin stream-events Rules Category ----- #
>
> # -- Begin GID:0 Based Rules -- #
>
> Otherwise, you should be able to find the gid via gen-msg.map
>
> Thanks,
> Wes
>
>
> On Thu, Nov 21, 2019 at 2:14 PM Andrew Huang <ahu...@liquidweb.com
> <javascript:>> wrote:
>
> > I was trying to disable sid 2221010 in disablesid.conf and couldn't
> > figure out why it wasn't working, until I changed it to 0:2221010. Isn't
> > the gid defaults to 1 if it's not specified in the rule? This is the rule
> > in downloaded.rules. Is there another way to tell the gid if it's not in
> > the rule?
> >
> > alert http any any -> any any (msg:"SURICATA HTTP unable to match
> > response to request"; flow:established,to_client;
> > app-layer-event:http.unable_to_match_response_to_request;
> > flowint:http.anomaly.count,+,1; classtype:protocol-command-decode;
> > sid:2221010; rev:1;)
> >
> > --
> > Follow Security Onion on Twitter!
> > https://twitter.com/securityonion
> > ---
> > You received this message because you are subscribed to the Google Groups
> > "security-onion" group.
> > To unsubscribe from this group and stop receiving emails from it, send an
> > email to securit...@googlegroups.com <javascript:>.
> > To view this discussion on the web visit
> > https://groups.google.com/d/msgid/security-onion/462bbd99-1297-41e5-ba1e-a5f2987f0724%40googlegroups.com \
> > <https://groups.google.com/d/msgid/security-onion/462bbd99-1297-41e5-ba1e-a5f2987f0724%40googlegroups.com?utm_medium=email&utm_source=footer>
> >
> > .
> >
>
>
> --
> https://twitter.com/therealwlambert
> https://securityonion.net/
>
--
Follow Security Onion on Twitter!
https://twitter.com/securityonion
---
You received this message because you are subscribed to the Google Groups \
"security-onion" group. To unsubscribe from this group and stop receiving emails from \
it, send an email to security-onion+unsubscribe@googlegroups.com. To view this \
discussion on the web visit \
https://groups.google.com/d/msgid/security-onion/be3abd14-b4e5-4c2c-ac5f-ef81402bb2ed%40googlegroups.com.
[Attachment #5 (text/html)]
<div dir="ltr">ah didn't realize it's at the top of the section, thank you \
Wes.<br><br>On Friday, November 22, 2019 at 9:26:12 AM UTC-5, Wes wrote:<blockquote \
class="gmail_quote" style="margin: 0;margin-left: 0.8ex;border-left: 1px #ccc \
solid;padding-left: 1ex;"><div dir="ltr">Hi Andrew,<div><br></div><div>If you look in \
/etc/nsm/rules/downloaded.<wbr>rules, you'll see:</div><div><br></div><div># \
----- Begin stream-events Rules Category ----- #<br><br># -- Begin GID:0 Based Rules \
-- #<br></div><div><br></div><div>Otherwise, you should be able to find the gid via \
gen-msg.map</div><div><br></div><div>Thanks,</div><div>Wes</div><div><br></div></div><br><div \
class="gmail_quote"><div dir="ltr">On Thu, Nov 21, 2019 at 2:14 PM Andrew Huang \
<<a href="javascript:" target="_blank" gdf-obfuscated-mailto="VecSqG5KBgAJ" \
rel="nofollow" onmousedown="this.href='javascript:';return true;" \
onclick="this.href='javascript:';return true;">ahu...@liquidweb.com</a>> \
wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px \
0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div>I \
was trying to disable sid 2221010 in disablesid.conf and couldn't figure out why \
it wasn't working, until I changed it to 0:2221010. Isn't the gid defaults to \
1 if it's not specified in the rule? This is the rule in downloaded.rules. Is \
there another way to tell the gid if it's not in the \
rule?<br></div><div><br></div><div>alert http any any -> any any \
(msg:"SURICATA HTTP unable to match response to request"; \
flow:established,to_client; \
app-layer-event:http.unable_<wbr>to_match_response_to_request; \
flowint:http.anomaly.count,+,<wbr>1; classtype:protocol-command-<wbr>decode; \
sid:2221010; rev:1;)<br></div><br></div>
<p></p>
-- <br>
Follow Security Onion on Twitter!<br>
<a href="https://twitter.com/securityonion" target="_blank" rel="nofollow" \
onmousedown="this.href='https://www.google.com/url?q\x3dhttps%3A%2F%2Ftwitter.com% \
2Fsecurityonion\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNHNMnY1vK-8tlz3CaZH4C4o8Ee15A';return \
true;" onclick="this.href='https://www.google.com/url?q\x3dhttps%3A%2F%2Ftwitter.c \
om%2Fsecurityonion\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNHNMnY1vK-8tlz3CaZH4C4o8Ee15A';return \
true;">https://twitter.com/<wbr>securityonion</a><br>
--- <br>
You received this message because you are subscribed to the Google Groups \
"security-onion" group.<br> To unsubscribe from this group and stop \
receiving emails from it, send an email to <a href="javascript:" target="_blank" \
gdf-obfuscated-mailto="VecSqG5KBgAJ" rel="nofollow" \
onmousedown="this.href='javascript:';return true;" \
onclick="this.href='javascript:';return \
true;">securit...@<wbr>googlegroups.com</a>.<br> To view this discussion on the web \
visit <a href="https://groups.google.com/d/msgid/security-onion/462bbd99-1297-41e5-ba1e-a5f2987f0724%40googlegroups.com?utm_medium=email&utm_source=footer" \
target="_blank" rel="nofollow" \
onmousedown="this.href='https://groups.google.com/d/msgid/security-onion/462bbd99- \
1297-41e5-ba1e-a5f2987f0724%40googlegroups.com?utm_medium\x3demail\x26utm_source\x3dfooter';return \
true;" onclick="this.href='https://groups.google.com/d/msgid/security-onion/462bbd \
99-1297-41e5-ba1e-a5f2987f0724%40googlegroups.com?utm_medium\x3demail\x26utm_source\x3dfooter';return \
true;">https://groups.google.com/d/<wbr>msgid/security-onion/462bbd99-<wbr>1297-41e5-ba1e-a5f2987f0724%<wbr>40googlegroups.com</a>.<br>
</blockquote></div><br clear="all"><div><br></div>-- <br><div dir="ltr"><div \
dir="ltr"><span style="font-size:12.8px"><a \
href="https://twitter.com/therealwlambert" target="_blank" rel="nofollow" \
onmousedown="this.href='https://www.google.com/url?q\x3dhttps%3A%2F%2Ftwitter.com% \
2Ftherealwlambert\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNG666idtkwCwosS-4tj5dxuJeM23w';return \
true;" onclick="this.href='https://www.google.com/url?q\x3dhttps%3A%2F%2Ftwitter.c \
om%2Ftherealwlambert\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNG666idtkwCwosS-4tj5dxuJeM23w';return \
true;">https://twitter.com/<wbr>therealwlambert</a></span><br><div><span \
style="font-size:12.8px"><a href="https://securityonion.net/" target="_blank" \
rel="nofollow" onmousedown="this.href='https://www.google.com/url?q\x3dhttps%3A%2F \
%2Fsecurityonion.net%2F\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNE0UObFk4OS_ixLUv1QwQVilxwkHA';return \
true;" onclick="this.href='https://www.google.com/url?q\x3dhttps%3A%2F%2Fsecurityo \
nion.net%2F\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNE0UObFk4OS_ixLUv1QwQVilxwkHA';return \
true;">https://securityonion.net/</a></span><br></div></div></div> \
</blockquote></div>
<p></p>
-- <br />
Follow Security Onion on Twitter!<br />
<a href="https://twitter.com/securityonion">https://twitter.com/securityonion</a><br \
/>
--- <br />
You received this message because you are subscribed to the Google Groups \
"security-onion" group.<br /> To unsubscribe from this group and stop \
receiving emails from it, send an email to <a \
href="mailto:security-onion+unsubscribe@googlegroups.com">security-onion+unsubscribe@googlegroups.com</a>.<br \
/> To view this discussion on the web visit <a \
href="https://groups.google.com/d/msgid/security-onion/be3abd14-b4e5-4c2c-ac5f-ef81402 \
bb2ed%40googlegroups.com?utm_medium=email&utm_source=footer">https://groups.google.com \
/d/msgid/security-onion/be3abd14-b4e5-4c2c-ac5f-ef81402bb2ed%40googlegroups.com</a>.<br \
/>
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic