so-rule disabled, not working in GUI or CLI. (Also: Help Disabling entire categories by 're:regex') #10626
Replies: 1 comment 5 replies
-
|
After specifying the regex, did you try updating your ruleset with |
Beta Was this translation helpful? Give feedback.
-
|
specify the regex in the web configuration and then run so-rule-update? |
Beta Was this translation helpful? Give feedback.
-
|
Does not disable the rule. |
Beta Was this translation helpful? Give feedback.
-
|
Here's a simple test that worked for me:
|
Beta Was this translation helpful? Give feedback.
-
|
Weird, I cant salt-call state.highstate, Its erroring out everywhere. I am running standalone. |
Beta Was this translation helpful? Give feedback.
-
|
I think I am going to reinstall from ISO. I can't run soup. |
Beta Was this translation helpful? Give feedback.
-
Hello,
I am trying to disable some IDS rules, I want to disabled entire rule category (Example, I want to disable all ET POLICY alerts. IIRC I was able to accomplish this in 2.3 using: so-rule disabled add 're:ET POLICY' or 're:ET\sPOLICY' (not too sure about my regex) But I was able to get it to work and disable dozens of SIDS with 1 command.
after installing 2.4 I check my alerts and begin the process of tuning down alerts I don't need.
I tried to do this in web configuration 1 entry per line.
're:ET\sPOLICY[^"]*'
wait 1 hour... and I'm still getting these alerts, Ill check the disabled list on the box itself.
OK ill try the CLI and see if anything disabled.
lets see if the command works:
so-rule disabled
(This should not happen, the system is in an error state if you see this message.)
More than one manager-type pillar exists, minion id's listed below:
"/opt/so/saltstack/local/pillar/minions/adv_so2beta_standalone.sls", "/opt/so/saltstack/local/pillar/minions/so2beta_standalone.sls"
Can anyone help with this? I cant seem to use so-rule disabled for anything. Not sure why I have 2 manager-type pillars.
Beta Was this translation helpful? Give feedback.
All reactions