Snort mailing list archives
Re: Fwd: Re: Suppress alerts
From: João Mota <joao () 3gnt net>
Date: Thu, 20 Oct 2005 15:49:03 +0100
Peter Rodger wrote:
+-----------------------[suppression]------------------------------------------| gen-id=119 sig-id=4 tracking=dstip=0.0.0.0 mask=0.0.0.0| gen-id=122 sig-id=27 tracking=dstip=0.0.0.0 mask=0.0.0.0| gen-id=122 sig-id=19 tracking=dstip=0.0.0.0 mask=0.0.0.0***************** It looked like it reads the threshold.conf...
Yes it is.
Well... the gen/sid id pairs also appear to be right. My guess is that you are using Barnyard and reading old alert files. If you are, try using the bookmarking feature ( -w ). If you're not, and if you aren't mixing up output files I haven't got a clue. My sugestion in this later case is to use the linux banner command and write a big ascii-art HELP to the mailing list attaching all info possible:Any help will be appreciated. I am just too upset with that.
-desired behaviour (yes again, I had to dig inside my mail trash to find your first message)
-snort.conf and comand line options used -threshold.conf -snort version -pieces of output logs where it happens -barnyard conf and comand line options used (if you are using it) -all the paths to the files you are submiting Good luck, JoãoP.S. Don't reply to my address... i'm already receiving duplicate mails when you post to more than one mailing-list.
------------------------------------------------------- This SF.Net email is sponsored by: Power Architecture Resource Center: Free content, downloads, discussions, and more. http://solutions.newsforge.com/ibmarch.tmpl _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Re: Suppress alerts, (continued)
- Re: Suppress alerts Peter Rodger (Oct 18)
- Re: Suppress alerts Frank Knobbe (Oct 18)
- Re: Fwd: Re: Suppress alerts João Mota (Oct 18)
- Re: Fwd: Re: Suppress alerts Peter Rodger (Oct 18)
- RE: Fwd: Re: Suppress alerts Patrick Harper (Oct 18)
- RE: Fwd: Re: Suppress alerts Peter Rodger (Oct 18)
- Re: Fwd: Re: Suppress alerts João Mota (Oct 19)
- Re: Fwd: Re: Suppress alerts Peter Rodger (Oct 19)
- Re: Fwd: Re: Suppress alerts Peter Rodger (Oct 19)
- Re: Fwd: Re: Suppress alerts João Mota (Oct 20)