Snort mailing list archives
RE: Is this right one?
From: Peter Rodger <prodger2008 () yahoo com>
Date: Tue, 25 Oct 2005 09:07:05 -0700 (PDT)
Hi, Thanks for your help and it works (only monitoring exchange servers' traffic) . I still could not figure out why this one does not work as posted before: snort] (portscan) Open Port unclassified [snort] (portscan) UDP Portsweep unclassified [snort] (http_inspect) BARE BYTE UNICODE ENCODING I have attempted to suppress these alerts in my snort.conf file like the following: suppress gen_id 122, sig_id 27 suppress gen_id 122, sig_id 19 suppress gen_id 119, sig_id 4 Could it be too much traffic that overkill the snort box and can not process suppress as indicated above?? Currently, the snort box is palced inside firewall and I span the PIX port to the snort monitoring port. Please give me some suggestions and hints. Should I buy taps? Thanks as always, Peter --- "Briggs, Bruce" <Bruce.Briggs () suny edu> wrote:
The format should be: suppress gen_id 1, sig_id 1070 Make sure that you have an uncommented include on snort.conf for threshold.conf. Also you could comment out sid_id 1070 in web-misc.rules Many use oinkmaster to automatically update new Snort sigs and keep mods to their Snort rules. Bruce -----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net] On Behalf Of Peter Rodger Sent: Tuesday, October 25, 2005 10:35 AM To: s Subject: [Snort-users] Is this right one? Hi all, I try to suppress this one event . WEB-MISC WebDAV search access I added suppress sid_id 1070 in the threshold.conf. Is this right? Thanks, Peter __________________________________ Yahoo! FareChase: Search multiple travel sites in one click. http://farechase.yahoo.com
-------------------------------------------------------
This SF.Net email is sponsored by the JBoss Inc. Get Certified Today * Register for a JBoss Training Course Free Certification Exam for All Training Attendees Through End of 2005 Visit http://www.jboss.com/services/certification for more information _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
__________________________________ Yahoo! Mail - PC Magazine Editors' Choice 2005 http://mail.yahoo.com ------------------------------------------------------- This SF.Net email is sponsored by the JBoss Inc. Get Certified Today * Register for a JBoss Training Course Free Certification Exam for All Training Attendees Through End of 2005 Visit http://www.jboss.com/services/certification for more information _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Is this right one? Peter Rodger (Oct 25)
- <Possible follow-ups>
- RE: Is this right one? Briggs, Bruce (Oct 25)
- RE: Is this right one? Peter Rodger (Oct 25)
- RE: Is this right one? (one correction) Peter Rodger (Oct 25)
- RE: Is this right one? Peter Rodger (Oct 25)
- RE: Is this right one? Briggs, Bruce (Oct 25)
- RE: Is this right one? Peter Rodger (Oct 25)
- RE: Is this right one? Briggs, Bruce (Oct 25)
- RE: Is this right one? Peter Rodger (Oct 26)
- RE: Is this right one? Peter Rodger (Oct 28)