Snort mailing list archives

Threshold Suppression Not Working

From: "Ron Jenkins" <rjenkins () dibr net>
Date: Mon, 31 Jan 2005 11:11:12 -0600

I am trying to suppress the below portscan alerts due to high volumes of
alerts:

*       (portscan) Open Port
*       (portscan) TCP Portscan
*       (portscan) UDP Portscan
*       (portscan) TCP Portsweep
*       (portscan) UDP Portsweep

 

I have added it to the threshold.conf file along with my other working
alert suppressions.  Below is the format for the above:

*          suppress gen_id 122, sig_id 3

*          suppress gen_id 122, sig_id 19

*       suppress gen_id 122, sig_id 27

 

Thess lines are not working, so I had to disable the preprocessor within
snort.conf.

 

Any help would be great!

 

Thanks...

Ron Jenkins (MCNE, CNE6, MCP, CCNA, CCEA) 
Senior Architect 
Data Integrity, LLC 
"We Integrate People with Solutions" 
1724 Dallas Drive 
Suite 11 
Baton Rouge, La 70806 
Office. 225.927.8030 
Fax. 225.927.8033 
Cell225.931.1632 
Email. rjenkins () dibr net 
Web. www.dibr.net

Current thread:

Threshold Suppression Not Working Ron Jenkins (Jan 31)
- Re: Threshold Suppression Not Working Alex Butcher, ISC/ISYS (Feb 01)
- <Possible follow-ups>
- RE: Threshold Suppression Not Working Ron Jenkins (Feb 01)
  - snort configuration in layer 2 Peggy Kam (Feb 01)
    - Re: snort configuration in layer 2 Matt Kettler (Feb 01)
    - threshold for alerts but not for logs? Peggy Kam (Mar 01)