Snort mailing list archives

Re: Suppress alerts

From: Peter Rodger <prodger2008 () yahoo com>
Date: Tue, 18 Oct 2005 08:21:01 -0700 (PDT)

Hi Joel,

Here is the info:

I am running Snort on windows .   I'm
using IIS6, MSSQL, PHP, and BASE on windows2003.

Currently,
[snort] (portscan) Open Port 
[snort] (portscan) UDP Portsweep 
[snort] (http_inspect) BARE BYTE UNICODE ENCODING

Are generating too many alerts. I have attempted to
suppress these alerts in my threshold.conf file like
the following:
suppress gen_id 122, sig_id 27
suppress gen_id 122, sig_id 19
suppress gen_id 119, sig_id 4

But those alerts are still generating a lot as before.
The threshold.conf file
is in /snort/etc directory following the instruction
in snort.conf file. (the file in the /etc and /rules
folder) Even I changed threshold.conf in the \rules
directory, the result is still same.

Please see the attached snort.conf and threshold.conf
files in the \snort\etc folder.

I did change threshold.conf in both /etc and /rules
folders and include d:\win-ds\snort\etc\threshold.conf
in the snort.conf file.
Still can not surppess these alerts?

In snort.conf file, I do have this include line
include d:\win-ids\snort\etc\threshold.conf

In threshold.conf, I have 
suppress gen_id 122, sig_id 27
suppress gen_id 122, sig_id 19
suppress gen_id 119, sig_id 4

I do not know why these alerts can not be surppressed?

Thanks for your help,

Peter




--- Joel Esler <joel.esler () sourcefire com> wrote:

We need a bit more info that what you've provided.

Joel


On Oct 18, 2005, at 10:53 AM, Peter Rodger wrote:

Hi all,

Can anyone point out what's wrong with my config?

The

alerts are still not suppressed.

I am just too overwhelmed with this.

Any help will be greatly appreciated.

Thanks,

Peter

Note: forwarded message attached.




__________________________________


__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com

Attachment: snort.conf
Description: 2440593508-snort.conf

Attachment: threshold.conf
Description: 1965301261-threshold.conf

Current thread:

Suppress alerts Peter Rodger (Oct 14)
- Re: Suppress alerts Frank Knobbe (Oct 14)
  - Re: Suppress alerts Peter Rodger (Oct 17)
- <Possible follow-ups>
- RE: Suppress alerts Briggs, Bruce (Oct 14)
- RE: Suppress alerts Briggs, Bruce (Oct 17)
- RE: RE: Suppress alerts Peter Rodger (Oct 17)
  - Re: Suppress alerts Joel Esler (Oct 17)
    - Re: Suppress alerts Peter Rodger (Oct 17)
- Fwd: Re: Suppress alerts Peter Rodger (Oct 18)
  - Re: Suppress alerts Joel Esler (Oct 18)
    - Re: Suppress alerts Peter Rodger (Oct 18)
    - Re: Suppress alerts Frank Knobbe (Oct 18)
  - Re: Fwd: Re: Suppress alerts João Mota (Oct 18)
    - Re: Fwd: Re: Suppress alerts Peter Rodger (Oct 18)
    - RE: Fwd: Re: Suppress alerts Patrick Harper (Oct 18)
    - RE: Fwd: Re: Suppress alerts Peter Rodger (Oct 18)
    - Re: Fwd: Re: Suppress alerts João Mota (Oct 19)
    - Re: Fwd: Re: Suppress alerts Peter Rodger (Oct 19)
    - Re: Fwd: Re: Suppress alerts Peter Rodger (Oct 19)
- Re: Fwd: Re: Suppress alerts Peter Rodger (Oct 20)
  - Re: Fwd: Re: Suppress alerts João Mota (Oct 20)