Snort mailing list archives
threshold and suppress ??
From: Andraz Sraka <a () aufbix org>
Date: Mon, 01 Mar 2004 19:49:06 +0100
re I'm setting snort IDS for observing activity of a larger network ( of size /19) and I like to suppress some events from trusted hosts that snort reports as alerts. So I'm trying to suppress all alerts for some trusted hosts that are doing GRE tunneling, since snort reports almost every possible alert between too trusted hosts on GRE layer. In threshold.conf I've putted something like this suppress gen_id 1, sig_id 0, track by_dst, ip x.x.x.y/32 but snort still generates alerts for this trusted host. So can I apply suppress rule that suppress all events from specified IP ? regards, Andraz -- BOFH excuse #265: The mouse escaped. ------------------------------------------------------- SF.Net is sponsored by: Speed Start Your Linux Apps Now. Build and deploy apps & Web services for Linux with a free DVD software kit from IBM. Click Now! http://ads.osdn.com/?ad_id=1356&alloc_id=3438&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- threshold and suppress ?? Andraz Sraka (Mar 01)
- Re: threshold and suppress ?? Jason (Mar 02)
- Re: threshold and suppress ?? Thomas Bechtold (Mar 02)
- Re: threshold and suppress ?? Jason (Mar 02)