Re: How to Ignore certain alerts

[Joel Esler <jesler () sourcefire com>]

Sourcefire is a commercial product. Www.sourcefire.com

On Saturday, September 19, 2009, Daniel Qian
<daniel.qian () supracanada com> wrote:
> I am also on command line for the snort part where
> the alerts are output to unified2 format before barnyard2 parses them into
> Mysql database for Base to display.
>
> By the way, is there a Linux version of Sourcefire
> interface?
>
>   ----- Original Message -----
>   From:
>   Joel
>   Esler <javascript:_e({}, 'cvml', 'jesler () sourcefire com');>
>   To: Daniel Qian <javascript:_e({}, 'cvml', 'daniel.qian () supracanada com');>
>   Cc: snort-users () lists sourceforge net
>
>   Sent: Saturday, September 19, 2009 10:11
>   PM
>   Subject: Re: [Snort-users] How to Ignore
>   certain alerts
>
> Maybe someone that uses the BASE interface can answer for you.
>    I haven't used anything but the command line and Sourcefire's interface
>   for about 4 years.
>
>
>   J
>
>   On Sat, Sep 19, 2009 at 10:02 PM, Daniel Qian <daniel.qian () supracanada com>
>   wrote:
>
>
>     How do I get the value for gen_id, sig_id from
>     the Base output to put in threshold.conf file?
>
>
>       ----- Original Message -----
>       From: Joel Esler
>
>       To: Daniel Qian
>
>       Cc: snort-users () lists sourceforge net
>
>
>
>       Sent: Saturday, September 19, 2009
>       8:34 PM
>       Subject: Re: [Snort-users] How to
>       Ignore certain alerts
>
> You should place the suppressions in the threshold.conf
>       file.  Make sure that the file is also uncommented in the snort.conf
>       file.  (It's at the very bottom of the stock file)
>
>
>       J
>
>       On Sat, Sep 19, 2009 at 8:13 PM, Daniel Qian <daniel.qian () supracanada com> wrote:
>       Should
>         I place the suppression rule in rules/local.rules file? In Base
>         interface, where can I find the sid of the alerts that get
>         triggered?
>
> ----- Original Message ----- From: "Joel Esler" <jesler () sourcefire com>
> To: "Daniel Qian" <daniel.qian () supracanada com>
> Cc: <snort-users () lists sourceforge net>
> Sent: Friday,
>         September 18, 2009 6:43 PM
> Subject: Re: [Snort-users] How to Ignore
>         certain alerts
>
>
>
>
>
>         Check
>           out "suppression" in the Snort manual.
>
> J
>
> On Friday,
>           September 18, 2009, Daniel Qian <daniel.qian () supracanada com> wrote:
>           I
>             am having nearly 10000 Microsoft SQL server related alerts produced
>             by
> Snort for our /23 network block. But most of our systems are
>             not even
> Microsoft. I am trying to make Snort send these alerts
>             for only a couple
> servers. so I have tried putting
>
> var
>             SQL_SERVERS [x.x.x.x/32,y.y.y.y/32]
>
> in snort.conf but it
>             doesnt do anything for me. What is the best approach to
> achieve
>             that result?
>
> Two links about the alerts copied from
>             Barnyard2:
>
> http://www.microsoft.com/technet/security/bulletin/MS02-039.mspx
>
> http://vil.nai.com/vil/content/v_99992.htm
>
>
> Thanks,
> Daniel
>
>
> -----------------------------------------------------------

------------------------------------------------------------------------------
Come build with us! The BlackBerry&reg; Developer Conference in SF, CA
is the only developer event you need to attend this year. Jumpstart your
developing skills, take BlackBerry mobile applications to market and stay 
ahead of the curve. Join us from November 9&#45;12, 2009. Register now&#33;
http://p.sf.net/sfu/devconf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users