Snort mailing list archives
Re: How to Ignore certain alerts
From: Joel Esler <jesler () sourcefire com>
Date: Mon, 21 Sep 2009 10:39:13 -0400
You should use the one from the VRT ruleset. However, your snort.conf should be custom configured for your network, so you probably won't be using the stock snort.conf file. What is the error message you are receiving? Can you cut and paste it? Joel On Mon, Sep 21, 2009 at 10:28 AM, Daniel Qian <daniel.qian () supracanada com>wrote:
Thanks for the Info Joel. I am a new user and was not aware that snort.orghas been re-disigned. I have another question regarding the packages for new snort release and VRT rules - both of them have a snort.conf file but they are a little different. Which one should I use? I have been using the one that comes with the rules package but it wont work with snort release 2.8.5. It comlains something about loading duplicate 'detection'. ----- Original Message ----- From: "Joel Esler" <jesler () sourcefire com> To: "Daniel Qian" <daniel.qian () supracanada com> Cc: "Brian Fagan" <bfagan () teleformix com>; < snort-users () lists sourceforge net> Sent: Monday, September 21, 2009 10:10 AM Subject: Re: [Snort-users] How to Ignore certain alerts The link isn't valid at this time, as that functionality has not been moved from the old snort.org to the current web design. The part you are interested in is the number in the URL. On Monday, September 21, 2009, Daniel Qian <daniel.qian () supracanada com> wrote:Thanks for the reply Brian. The 'snort' reference link takes me to the page saying 'The page you are looking for isn’t here'. I assume the link is produced by snort output and upgraded snort to the most recent release 2.8.5 but the error is still there. Is this normal or a real error? ----- Original Message ----- From: Brian Fagan <javascript:_e({}, 'cvml', 'bfagan () teleformix com');> To: Daniel Qian <javascript:_e({}, 'cvml', 'daniel.qian () supracanada com ');> Cc: snort-users () lists sourceforge net ; Joel Esler Sent: Monday, September 21, 2009 8:41 AM Subject: Re: [Snort-users] How to Ignore certain alerts In BASE if you click on the snort link in the signature it will take you to a Snort page that gives you an error, if you look at the end of the link you will see something like 1:3254, the first number is the gen_id and the seconed number is the sig_id. ----- Original Message ----- From: "Daniel Qian" <daniel.qian () supracanada com> To: "Joel Esler" <jesler () sourcefire com> Cc: snort-users () lists sourceforge net Sent: Saturday, September 19, 2009 9:02:55 PM GMT -06:00 US/Canada Central Subject: Re: [Snort-users] How to Ignore certain alerts How do I get the value for gen_id, sig_id from the Base output to put in threshold.conf file? ----- Original Message ----- From: Joel Esler To: Daniel Qian Cc: snort-users () lists sourceforge net Sent: Saturday, September 19, 2009 8:34 PM Subject: Re: [Snort-users] How to Ignore certain alerts You should place the suppressions in the threshold.conf file. Make sure that the file is also uncommented in the snort.conf file. (It's at the very bottom of the stock file) J On Sat, Sep 19, 2009 at 8:13 PM, Daniel Qian < daniel.qian () supracanada com> wrote: Should I place the suppression rule in rules/local.rules file? In Base interface, where can I find the sid of the alerts that get triggered? ----- Original Message ----- From: "Joel Esler" <jesler () sourcefire com> To: "Daniel Qian" <daniel.qian () supracanada com> Cc: <snort-users () lists sourceforge net> Sent: Friday, September 18, 2009 6:43 PM Subject: Re: [Snort-users] How to Ignore certain alerts Check out "suppression" in the
-- Joel Esler | 302-223-5974 | Gtalk: jesler () sourcefire com
------------------------------------------------------------------------------ Come build with us! The BlackBerry® Developer Conference in SF, CA is the only developer event you need to attend this year. Jumpstart your developing skills, take BlackBerry mobile applications to market and stay ahead of the curve. Join us from November 9-12, 2009. Register now! http://p.sf.net/sfu/devconf
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Re: How to Ignore certain alerts, (continued)
- Re: How to Ignore certain alerts Daniel Qian (Sep 19)
- Re: How to Ignore certain alerts Joel Esler (Sep 19)
- Re: How to Ignore certain alerts Daniel Qian (Sep 19)
- Re: How to Ignore certain alerts Joel Esler (Sep 19)
- Re: How to Ignore certain alerts Daniel Qian (Sep 19)
- Re: How to Ignore certain alerts Joel Esler (Sep 20)
- Re: How to Ignore certain alerts Daniel Qian (Sep 19)
- Re: How to Ignore certain alerts Brian Fagan (Sep 21)
- Re: How to Ignore certain alerts Daniel Qian (Sep 21)
- Re: How to Ignore certain alerts Joel Esler (Sep 21)
- Re: How to Ignore certain alerts Daniel Qian (Sep 21)
- Re: How to Ignore certain alerts Joel Esler (Sep 21)
- Re: How to Ignore certain alerts Daniel Qian (Sep 21)
- Re: How to Ignore certain alerts Nigel Houghton (Sep 21)
- Re: How to Ignore certain alerts Daniel Qian (Sep 21)