Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: RE: problem with suppress...

From: sekure <sekure () gmail com>
Date: Thu, 15 Jul 2004 09:04:08 -0400
Graeme,

You don't need the -o flag for suppression to work.  -o is used for
when you have "pass" rules.  Suppression and thresholding should work
without it.

Rule 384 is a very generic "ICMP Ping".  Is this the rule that keeps
triggering or are you trying to supperss ALL Ping events with that
statement?  The reason I ask is that there are many many ICMP Ping
signatures.  Are you absolutely sure that it is sig id 384 that keeps
showing and not other ping signatures?

On Thu, 15 Jul 2004 08:43:02 +1000, Graeme Rider
<graeme.rider () colesmyer com au> wrote:


Tobias,
       yes...l was not initially but then saw a reference to this flag in
the 'pass' requirements...
the suppress rule that l am using is in the local.rules file:
       suppress gen_id 1,sig_id 384
regards
graeme



-------------------------------------------------------
This SF.Net email is sponsored by BEA Weblogic Workshop
FREE Java Enterprise J2EE developer tools!
Get your free copy of BEA WebLogic Workshop 8.1 today.
http://ads.osdn.com/?ad_id=4721&alloc_id=10040&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: