Snort mailing list archives
Re: Suppress alerts
From: Peter Rodger <prodger2008 () yahoo com>
Date: Mon, 17 Oct 2005 11:35:26 -0700 (PDT)
Joel, Thanks for the info and help. The threshold.conf file is in /snort/etc directory following the instruction in snort.conf file. (the file in the /etc and /rules folder) Even I change threshold.conf in the \rules directory, the result is still same. Please see the attached snort.conf and threshold.conf files in the \snort\etc folder. I did change threshold.conf in both /etc and /rules folders and include d:\win-ds\snort\etc\threshold.conf in the snort.conf file. Still can not surppess these alerts? Let me know what's wrong with my config? I can not fighure out why? Thanks again, Peter --- Joel Esler <joel.esler () sourcefire com> wrote:
The threshold.conf is probably in your /rules directory. (The directory is located in your snort.conf Search your snort.conf for "threshold.conf" and you'll see the include statement. The Generator ID and SID are located in gid-msg.map and sid-msg.map. Probably in your rules directory. Joel Esler SOURCEfire On Oct 17, 2005, at 1:06 PM, Peter Rodger wrote:Bruce, Thanks! I am running Snort on windows too. I'm using IIS6, MSSQL, PHP, and BASE on windows2003. BTW, I just found out that the threshold.conf fileisin two plases: one is in \snort\etc folder;another isin \snort\rules folder. Which one should Ichange?I changed the one in \snort\etc folder. How do you get genenator ID or SID? Thanks again, Peter --- "Briggs, Bruce" <Bruce.Briggs () suny edu> wrote:Yes I did see your Friday e-mail. I am running Snort on Windows and do not haveyourproblem. Also you do not need to reboot your Snort machine when making a config change - just stop & restart Snort. What Snort version? What other support tools are you using - such aswebserver & logging database & alert viewer? I'm using Apache, MySQL, PHP, and BASE. Bruce -----Original Message----- From: Peter Rodger [mailto:prodger2008 () yahoo com] Sent: Monday, October 17, 2005 11:52 AM To: Briggs, Bruce Subject: Fwd: RE: [Snort-users] Suppress alerts Bruce, Did you check this message I sent you lastFriday?The snort.conf is the right file I changed. What could go wrong with it? Thanks so much, Peter Note: forwarded message attached. __________________________________ Yahoo! Mail - PC Magazine Editors' Choice 2005 http://mail.yahoo.com__________________________________ Yahoo! Mail - PC Magazine Editors' Choice 2005 http://mail.yahoo.com
-------------------------------------------------------
This SF.Net email is sponsored by: Power Architecture Resource Center: Free content,downloads,discussions, and more.http://solutions.newsforge.com/ibmarch.tmpl_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options orunsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
-------------------------------------------------------
This SF.Net email is sponsored by: Power Architecture Resource Center: Free content, downloads, discussions, and more. http://solutions.newsforge.com/ibmarch.tmpl _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
__________________________________ Yahoo! Mail - PC Magazine Editors' Choice 2005 http://mail.yahoo.com
Attachment:
snort.conf
Description: 2440593508-snort.conf
Attachment:
threshold.conf
Description: 1965301261-threshold.conf
Current thread:
- Suppress alerts Peter Rodger (Oct 14)
- Re: Suppress alerts Frank Knobbe (Oct 14)
- Re: Suppress alerts Peter Rodger (Oct 17)
- <Possible follow-ups>
- RE: Suppress alerts Briggs, Bruce (Oct 14)
- RE: Suppress alerts Briggs, Bruce (Oct 17)
- RE: RE: Suppress alerts Peter Rodger (Oct 17)
- Re: Suppress alerts Joel Esler (Oct 17)
- Re: Suppress alerts Peter Rodger (Oct 17)
- Re: Suppress alerts Joel Esler (Oct 17)
- Fwd: Re: Suppress alerts Peter Rodger (Oct 18)
- Re: Suppress alerts Joel Esler (Oct 18)
- Re: Suppress alerts Peter Rodger (Oct 18)
- Re: Suppress alerts Frank Knobbe (Oct 18)
- Re: Suppress alerts Joel Esler (Oct 18)
- Re: Fwd: Re: Suppress alerts João Mota (Oct 18)
- Re: Fwd: Re: Suppress alerts Peter Rodger (Oct 18)
- RE: Fwd: Re: Suppress alerts Patrick Harper (Oct 18)
- RE: Fwd: Re: Suppress alerts Peter Rodger (Oct 18)
- Re: Fwd: Re: Suppress alerts João Mota (Oct 19)
- Re: Fwd: Re: Suppress alerts Peter Rodger (Oct 19)
- Re: Suppress alerts Frank Knobbe (Oct 14)