Snort mailing list archives
Suppressing gen_id 116
From: snort user <snortuser2000 () yahoo com>
Date: Wed, 21 Jul 2004 13:19:44 -0700 (PDT)
I running snort 2.1.3 and I am trying to suppress the following snort_decoder alerts using the thresholding functionality: (snort_decoder) WARNING: Bad Token Ring MR Header! (snort_decoder) WARNING: Bad Token Ring ETHLLC Header! (snort_decoder) WARNING: Bad Token Ring MRLENHeader! My threshold.conf file look like this: suppress gen_id 116, sig_id 141 suppress gen_id 116, sig_id 142 suppress gen_id 116, sig_id 143 I have 'include threshold.conf' in my snort.conf. When I load snort, not in daemon mode, I see the rules load, but the events still get logged to my database. The only way I have been able to turn them off is to set the following option in snort.conf: config disable_decode_alerts Can anyone tell me why suppression is not working for me? Is my gen_id wrong? sig_id? TIA. __________________________________ Do you Yahoo!? Vote for the stars of Yahoo!'s next ad campaign! http://advision.webevents.yahoo.com/yahoo/votelifeengine/ ------------------------------------------------------- This SF.Net email is sponsored by BEA Weblogic Workshop FREE Java Enterprise J2EE developer tools! Get your free copy of BEA WebLogic Workshop 8.1 today. http://ads.osdn.com/?ad_id=4721&alloc_id=10040&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Suppressing gen_id 116 snort user (Jul 21)
- <Possible follow-ups>
- Suppressing gen_id 116 snort user (Aug 04)
- Re: Suppressing gen_id 116 Brian (Aug 05)