Snort mailing list archives
Re: Event_filter and suppression on same rule valid?
From: "Starner, Mark" <mark.starner () unisys com>
Date: Tue, 20 Nov 2012 14:02:43 -0600
A correction, the order of the entries is: event_filter gen_id 122, sig_id 3, type limit, track by_src, count 2, seconds 180 suppress gen_id 122, sig_id 3, track by_src, ip [list of IP's here] So the event_filter is in the threshold.conf file first, followed by the suppression. -----Original Message----- From: Starner, Mark Sent: Tuesday, November 20, 2012 2:58 PM To: snort-users () lists sourceforge net Subject: Event_filter and suppression on same rule valid? Running snort 2.9.3.1 We have two entries in the threshold.conf file: event_filter gen_id 122, sig_id 3, type limit, track by_src, count 2, seconds 180 suppress gen_id 122, sig_id 3, track by_src, ip [list of IP's here] The suppression seems to be working fine, but the event_filter isn't. We want to suppress the 122:3 alerts from a specifc set of IP's, but just want to limit the number of alerts from everyone else and we are seeing more than 2 alerts in a 3 minute timeframe for those IP's not suppressed. Should this work??? Thanks Mark
Attachment:
smime.p7s
Description:
------------------------------------------------------------------------------ Monitor your physical, virtual and cloud infrastructure from a single web console. Get in-depth insight into apps, servers, databases, vmware, SAP, cloud infrastructure, etc. Download 30-day Free Trial. Pricing starts from $795 for 25 servers or applications! http://p.sf.net/sfu/zoho_dev2dev_nov
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Re: Event_filter and suppression on same rule valid? Starner, Mark (Nov 21)
- Re: Event_filter and suppression on same rule valid? Starner, Mark (Nov 21)
- <Possible follow-ups>
- Re: Event_filter and suppression on same rule valid? Starner, Mark (Nov 21)
- Event_filter and suppression on same rule valid? Starner, Mark (Nov 21)