Snort mailing list archives
Re: Supressing alerts.
From: "mdpeters" <michael.peters () lazarusalliance com>
Date: Mon, 28 Feb 2005 13:34:59 -0500
These are actually placed into the snort.conf file?----- Original Message ----- From: "Matt Kettler" <mkettler () evi-inc com>
To: <chubeshoi () chubes com>; <snort-users () lists sourceforge net> Sent: Monday, February 28, 2005 1:21 PM Subject: Re: [Snort-users] Supressing alerts.
At 09:14 AM 2/28/2005, chubeshoi () chubes com wrote:Are generating too many alerts. I have attempted to suppress these alerts in my snort.conf file like the following:suppress gen_id 1, sig_id 27: suppress gen_id 1, sig_id 19: suppress gen_id 1, sig_id 4:But those alerts keep on flooding my SQL database. Am I using the correct signature ID numbers? I don't know what else to try.Well, you are close, but you wrong gen_id's.. generator 1 is the rules, and no preprocessor generated alerts will match.[snort] (portscan) Open Port unclassified [snort] (portscan) UDP Portsweep unclassifiedsfportscan is generator 122 so you need to suppress gen_id 122 with sig_id 27 and 19.[snort] (http_inspect) BARE BYTE UNICODE ENCODING http_inspect is generator 119 so you need to suppress gen_id 119 sig_id 4 Try these instead: suppress gen_id 122, sig_id 27: suppress gen_id 122, sig_id 19: suppress gen_id 119, sig_id 4: ------------------------------------------------------- SF email is sponsored by - The IT Product Guide Read honest & candid reviews on hundreds of IT Products from real users. Discover which products truly live up to the hype. Start reading now. http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------- SF email is sponsored by - The IT Product Guide Read honest & candid reviews on hundreds of IT Products from real users. Discover which products truly live up to the hype. Start reading now. http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Supressing alerts. chubeshoi (Feb 28)
- Re: Supressing alerts. Matt Kettler (Feb 28)
- Re: Supressing alerts. mdpeters (Feb 28)
- Re: Supressing alerts. Matt Kettler (Feb 28)
- Re: Supressing alerts. mdpeters (Feb 28)
- Re: Supressing alerts. Matt Kettler (Feb 28)