Snort mailing list archives
Re: rules vs. suppress
From: Jeremy Hewlett <jh () sourcefire com>
Date: Wed, 30 Mar 2005 16:48:11 -0500
Sorry for the delayed response. [insert standard excuse here] ;) On Thu, Mar 24, Lee Clemens wrote:
That all makes sense, but a serious caveat...what suppress statement wouldn't cause the rule to be pointless? (alert any any <> 10/8 any)
After having a better look at what you're trying to do, Marc Norton and I both agree. Making a broad suppression generalization does nullify your rule statement - you do shutdown quite a bit of alerting this way. Suppression is too specific for what you want.
Am I overlooking a simple solution for this?
Your original 21 rules were better for what you're trying to do. I'd be happy to poke at your config with you. Send it to me off list if you want. ------------------------------------------------------- This SF.net email is sponsored by Demarc: A global provider of Threat Management Solutions. Download our HomeAdmin security software for free today! http://www.demarc.com/info/Sentarus/hamr30 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- rules vs. suppress Lee Clemens (Mar 21)
- Re: rules vs. suppress Jeremy Hewlett (Mar 23)
- RE: rules vs. suppress Lee Clemens (Mar 23)
- Re: rules vs. suppress Jeremy Hewlett (Mar 31)
- RE: rules vs. suppress Lee Clemens (Mar 23)
- <Possible follow-ups>
- Re: RE: rules vs. suppress Salil D. (Mar 23)
- Re: rules vs. suppress Jeremy Hewlett (Mar 23)