IDS mailing list archives
RE: Snort rules setup.
From: "Derick Anderson" <danderson () vikus com>
Date: Mon, 5 Dec 2005 07:48:55 -0500
-----Original Message----- From: phunked up! [mailto:phunkodelic () gmail com] Sent: Wednesday, November 30, 2005 2:14 PM To: focus-ids () securityfocus com Subject: Snort rules setup. I am trying to get rid of the errors of: "(portscan) Open Port" in my Snort logs. They are filling it up quite fast. I have put a line in the threshold.conf file and enabled that file in the snort.conf file but that has done nothing so far. Setup is Centos/MySQL/Snort/BASE. Any advice would be much appreciated. Thanks!
Instead of using threshold.conf I used some suppress commands in snort.conf. I don't remember which gen_id and sig_id portscan/open port is but I added these 4 lines in my snort.conf to shut it and http_inspect up in regards to certain events: suppress gen_id 122, sig_id 27: suppress gen_id 122, sig_id 19: suppress gen_id 119, sig_id 4: suppress gen_id 119, sig_id 15: I'm sure some googling will shed light on the combination you may need, although I remember it taking me forever to figure out what to do. Derick Anderson ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. ------------------------------------------------------------------------
Current thread:
- Snort rules setup. phunked up! (Dec 02)
- Re: Snort rules setup. Joel Esler (Dec 05)
- <Possible follow-ups>
- RE: Snort rules setup. Derick Anderson (Dec 05)