Re: How to Ignore certain alerts

["Daniel Qian" <daniel.qian () supracanada com>]

Thanks for the reply Brian. The 'snort' reference link takes me to the page saying 'The page you are looking for isn’t 
here'. I assume the link is produced by snort output and upgraded snort to the most recent release 2.8.5 but the error 
is still there. Is this normal or a real error? 

  ----- Original Message ----- 
  From: Brian Fagan 
  To: Daniel Qian 
  Cc: snort-users () lists sourceforge net ; Joel Esler 
  Sent: Monday, September 21, 2009 8:41 AM
  Subject: Re: [Snort-users] How to Ignore certain alerts


  In BASE if you click on the snort link in the signature it will take you to a Snort page that gives you an error, if 
you look at the end of the link you will see something like 1:3254, the first number is the gen_id and the seconed 
number is the sig_id. 
  ----- Original Message -----

  From: "Daniel Qian" <daniel.qian () supracanada com>
  To: "Joel Esler" <jesler () sourcefire com>
  Cc: snort-users () lists sourceforge net
  Sent: Saturday, September 19, 2009 9:02:55 PM GMT -06:00 US/Canada Central
  Subject: Re: [Snort-users] How to Ignore certain alerts


  How do I get the value for gen_id, sig_id from the Base output to put in threshold.conf file?
    ----- Original Message ----- 
    From: Joel Esler 
    To: Daniel Qian 
    Cc: snort-users () lists sourceforge net 
    Sent: Saturday, September 19, 2009 8:34 PM
    Subject: Re: [Snort-users] How to Ignore certain alerts


    You should place the suppressions in the threshold.conf file.  Make sure that the file is also uncommented in the 
snort.conf file.  (It's at the very bottom of the stock file) 


    J


    On Sat, Sep 19, 2009 at 8:13 PM, Daniel Qian <daniel.qian () supracanada com> wrote:

      Should I place the suppression rule in rules/local.rules file? In Base interface, where can I find the sid of the 
alerts that get triggered?

      ----- Original Message ----- From: "Joel Esler" <jesler () sourcefire com>
      To: "Daniel Qian" <daniel.qian () supracanada com>
      Cc: <snort-users () lists sourceforge net>
      Sent: Friday, September 18, 2009 6:43 PM
      Subject: Re: [Snort-users] How to Ignore certain alerts 




        Check out "suppression" in the Snort manual.

        J

        On Friday, September 18, 2009, Daniel Qian <daniel.qian () supracanada com> wrote:

          I am having nearly 10000 Microsoft SQL server related alerts produced by
          Snort for our /23 network block. But most of our systems are not even
          Microsoft. I am trying to make Snort send these alerts for only a couple
          servers. so I have tried putting

          var SQL_SERVERS [x.x.x.x/32,y.y.y.y/32]

          in snort.conf but it doesnt do anything for me. What is the best approach to
          achieve that result?

          Two links about the alerts copied from Barnyard2:

          http://www.microsoft.com/technet/security/bulletin/MS02-039.mspx

          http://vil.nai.com/vil/content/v_99992.htm


          Thanks,
          Daniel


          ------------------------------------------------------------------------------
          Come build with us! The BlackBerry&reg; Developer Conference in SF, CA
          is the only developer event you need to attend this year. Jumpstart your
          developing skills, take BlackBerry mobile applications to market and stay
          ahead of the curve. Join us from November 9&#45;12, 2009. Register now&#33;
          http://p.sf.net/sfu/devconf
          _______________________________________________
          Snort-users mailing list
          Snort-users () lists sourceforge net
          Go to this URL to change user options or unsubscribe:
          https://lists.sourceforge.net/lists/listinfo/snort-users
          Snort-users list archive:
          http://www.geocrawler.com/redir-sf.php3?list=snort-users










    -- 
    Joel Esler | 302-223-5974 | Gtalk: jesler () sourcefire com

  ------------------------------------------------------------------------------ Come build with us! The BlackBerry® 
Developer Conference in SF, CA is the only developer event you need to attend this year. Jumpstart your developing 
skills, take BlackBerry mobile applications to market and stay ahead of the curve. Join us from November 9-12, 2009. 
Register now! http://p.sf.net/sfu/devconf
  _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to 
this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users 
list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users

  -- 
  Brian Fagan
  IT Support Specialist
  Teleformix
  http://www.teleformix.com
  Phone: (847) 812-9564
  Email: bfagan () teleformix com

------------------------------------------------------------------------------
Come build with us! The BlackBerry&reg; Developer Conference in SF, CA
is the only developer event you need to attend this year. Jumpstart your
developing skills, take BlackBerry mobile applications to market and stay 
ahead of the curve. Join us from November 9&#45;12, 2009. Register now&#33;
http://p.sf.net/sfu/devconf

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users