This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

IPS Manual rule disable

I'm trying to investigate some odd ports I'm seeing. So I've enabled IPS.
But I also use Radmin to control my mail server. With IPS on it doesn't work because the traffic is triggering IPS.
id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="BACKDOOR radmin 3.0 runtime detection - login & remote control" group="510" srcip="192.168.30.100" dstip="192.168.20.34" proto="6" srcport="4850" dstport="59327" sid="12376" class="A Network Trojan was detected" priority="1" generator="1" msgid="0"

I'm assuming the rule ID is 2101. But when I add a rule modification to disable rule 2101, the traffic is still blocked and the alert is shown in the logs.

Is there some extra trick to this? The IPS rule management is at best... lousy.

This thread was automatically locked due to age.

0 BAlfson over 15 years ago

Have you Up2Dated to 7.504?

Cheers - Bob
Cancel
Vote Up 0 Vote Down

Cancel
0 JimmyM over 15 years ago in reply to BAlfson

Yes, I have.
Cancel
Vote Up 0 Vote Down

Cancel
0 dilandau over 15 years ago

Take a look at the Snort logfile guide at astaro.com/kb Article #312523

As per the guide, you should use the "sid", in this case 12376 for the Rule ID to manually disable it.
Cancel
Vote Up 0 Vote Down

Cancel
0 JimmyM over 15 years ago in reply to dilandau

Ahhh. Right function. Wrong number. sid not id. Thanks. I'll give it a go.
Cancel
Vote Up 0 Vote Down

Cancel
0 JimmyM over 15 years ago in reply to JimmyM

That did the trick. Thanks. All is good now.
RAM usage is up from 40% to 60% and CPU shows little spikes during periods of high traffic, but that's it. A speed test shows I'm still getting 25Mb down/21Mb up.

I may still go to the dual core Atom just 'cause I want to. That and an SSD.
Cancel
Vote Up 0 Vote Down

Cancel