Snort mailing list archives
Re: RE: problem with suppress...
From: sekure <sekure () gmail com>
Date: Thu, 15 Jul 2004 09:04:08 -0400
Graeme, You don't need the -o flag for suppression to work. -o is used for when you have "pass" rules. Suppression and thresholding should work without it. Rule 384 is a very generic "ICMP Ping". Is this the rule that keeps triggering or are you trying to supperss ALL Ping events with that statement? The reason I ask is that there are many many ICMP Ping signatures. Are you absolutely sure that it is sig id 384 that keeps showing and not other ping signatures? On Thu, 15 Jul 2004 08:43:02 +1000, Graeme Rider <graeme.rider () colesmyer com au> wrote:
Tobias, yes...l was not initially but then saw a reference to this flag in the 'pass' requirements... the suppress rule that l am using is in the local.rules file: suppress gen_id 1,sig_id 384 regards graeme
------------------------------------------------------- This SF.Net email is sponsored by BEA Weblogic Workshop FREE Java Enterprise J2EE developer tools! Get your free copy of BEA WebLogic Workshop 8.1 today. http://ads.osdn.com/?ad_id=4721&alloc_id=10040&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- problem with suppress... Graeme Rider (Jul 13)
- Re: problem with suppress... sekure (Jul 14)
- <Possible follow-ups>
- problem with suppress... Tobias Rice (Jul 14)
- RE: problem with suppress... Graeme Rider (Jul 14)
- Re: RE: problem with suppress... sekure (Jul 15)
- RE: RE: problem with suppress... Graeme Rider (Jul 15)
- Re: RE: problem with suppress... sekure (Jul 16)
- RE: problem with suppress... Graeme Rider (Aug 05)