Snort mailing list archives
RE: Can't suppress "(snort decoder) Bad Traffic Same Src/Dst IP"
From: "Mike Kelley" <mikek () m-v-t com>
Date: Mon, 17 Oct 2005 15:21:10 -0600
That's an awfully big hammer to hit those two tiny IP's ... What other alerts would I be disabling? config disable decode alerts ==> Turns off the alerts generated by the decode phase of Snort. I just want to suppress the alerts for 2 machines ... if other machines on the network start doing that I'd be concerned and would want to know. (I really appreciate the help and suggestions!!!) I was hoping for an answer with finesse centered on disabling just that alert for just those IP's Mike -----Original Message----- From: Matt Kettler [mailto:mkettler () evi-inc com] Sent: Monday, October 17, 2005 3:10 PM To: Mike Kelley Cc: snort-users () lists sourceforge net Subject: Re: [Snort-users] Can't suppress "(snort decoder) Bad Traffic Same Src/Dst IP" http://www.snort.org/docs/snort_htmanuals/htmanual_2.4/node10.html see the config option "disable_decode_alerts" Mike Kelley wrote:
I have read and re-read those pages on the manual ... I find nothing
in
the config <DIRECTIVES> area of the snort manual that hints it would help me suppress this traffic (system wide let alone for 2 IP's) .... help a blind PHB (<== Dilbertism) to see Mike -----Original Message----- From: Matt Kettler [mailto:mkettler () evi-inc com] Sent: Monday, October 17, 2005 2:32 PM To: Mike Kelley Cc: snort-users () lists sourceforge net Subject: Re: [Snort-users] Can't suppress "(snort decoder) Bad Traffic Same Src/Dst IP" Mike Kelley wrote:I have 2 machines for which this traffic is "normal" I have looked for the rule that triggers SPECIFFICALLY this alert ... I can't find itThis isn't a rule, it's an alert generated directly by the snort
decoder
itself.
http://www.networksecurityarchive.org/html/Snort-Signatures/2005-09/msg0
0066.html ------------------------------------------------------- This SF.Net email is sponsored by: Power Architecture Resource Center: Free content, downloads,
discussions,
and more. http://solutions.newsforge.com/ibmarch.tmpl _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list
------------------------------------------------------- This SF.Net email is sponsored by: Power Architecture Resource Center: Free content, downloads, discussions, and more. http://solutions.newsforge.com/ibmarch.tmpl _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Can't suppress "(snort decoder) Bad Traffic Same Src/Dst IP" Mike Kelley (Oct 17)
- Re: Can't suppress "(snort decoder) Bad Traffic Same Src/Dst IP" Matt Kettler (Oct 17)
- Can't suppress "(snort decoder) Bad Traffic Same Src/Dst IP" Postmaster (Nov 01)
- RE: Can't suppress "(snort decoder) Bad Traffic Same Src/Dst IP" Paul Melson (Nov 01)
- <Possible follow-ups>
- RE: Can't suppress "(snort decoder) Bad Traffic Same Src/Dst IP" Mike Kelley (Oct 17)
- Re: Can't suppress "(snort decoder) Bad Traffic Same Src/Dst IP" Matt Kettler (Oct 17)
- RE: Can't suppress "(snort decoder) Bad Traffic Same Src/Dst IP" Mike Kelley (Oct 17)
- RE: Can't suppress "(snort decoder) Bad Traffic Same Src/Dst IP" Mike Kelley (Oct 17)
- Re: Can't suppress "(snort decoder) Bad Traffic Same Src/Dst IP" Matt Kettler (Oct 17)