Snort mailing list archives
Re: disabling specific snort rules
From: James Lay <jlay () slave-tothe-box net>
Date: Sun, 27 Oct 2013 09:05:39 -0600
Roland, Yea I haven’t seen anything out there that’s current. In the Snort source there’s a directory called docs…read every README.* that’s in there. There should be a snort_manual.pdf in there as well, but I didn’t see one there (Joel?). I do see the latex doc though and this link http://manual.snort.org/ will get you there. Take the time to really understand the areas that impact you (for example, do you have SMTP open? Make sure to understand the README.SMTP thoroughly). I usually find something I didn’t know before, or answers to questions I haven’t even asked yet ;) Hope that helps. James On Oct 27, 2013, at 7:04 AM, Roland RoLaNd <r_o_l_a_n_d () hotmail com> wrote:
James, yes that was of tremendous help. Do you suggest of any ebook or site i can learn more about snort? you,others and this list in general have helped me every time i asked a question which i'm thankful for, but i want to start learning snort all together instead of getting answers about specific questions. The only ebooks i could find dates 2004..2006 ...To: snort-users () lists sourceforge net Date: Thu, 24 Oct 2013 09:59:47 -0600 From: jlay () slave-tothe-box net Subject: Re: [Snort-users] disabling specific snort rules On 2013-10-24 08:42, Roland RoLaNd wrote:Thank you james, that did it for me. another question related to rules if i may ? i'm receiving high alert of false positive. using BASE i'm getting thousands of alerts to a specific destination which is my own remote server. may i ask of a way to exclude certain destinations (IPs or ports) from triggering alerts?Check out the threshold.conf file for getting IP's to stop alerting...also works with specific rules. If you're sure you don't want to see a specific host ever, then I'd use a bpf when starting snort: snort -c /etc/snort/conf "not myserverip" for example. Hope that helps. James ------------------------------------------------------------------------------ October Webinars: Code for Performance Free Intel webinars can help you accelerate application performance. Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from the latest Intel processors and coprocessors. See abstracts and register > http://pubads.g.doubleclick.net/gampad/clk?id=60135991&iu=/4140/ostg.clktrk _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!------------------------------------------------------------------------------ October Webinars: Code for Performance Free Intel webinars can help you accelerate application performance. Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from the latest Intel processors and coprocessors. See abstracts and register > http://pubads.g.doubleclick.net/gampad/clk?id=60135991&iu=/4140/ostg.clktrk_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Attachment:
signature.asc
Description: Message signed with OpenPGP using GPGMail
------------------------------------------------------------------------------ October Webinars: Code for Performance Free Intel webinars can help you accelerate application performance. Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from the latest Intel processors and coprocessors. See abstracts and register > http://pubads.g.doubleclick.net/gampad/clk?id=60135991&iu=/4140/ostg.clktrk
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- disabling specific snort rules Roland RoLaNd (Oct 24)
- Re: disabling specific snort rules James Lay (Oct 24)
- Re: disabling specific snort rules Roland RoLaNd (Oct 24)
- Snort and Banyard2 no data in logs. Salvo (Oct 24)
- Re: Snort and Banyard2 no data in logs. waldo kitty (Oct 24)
- Re: disabling specific snort rules James Lay (Oct 24)
- Re: disabling specific snort rules JJC (Oct 24)
- Re: disabling specific snort rules Roland RoLaNd (Oct 27)
- Re: disabling specific snort rules James Lay (Oct 27)
- Re: disabling specific snort rules Joel Esler (Oct 27)
- Re: disabling specific snort rules Roland RoLaNd (Oct 24)
- Re: disabling specific snort rules James Lay (Oct 24)
- Re: disabling specific snort rules waldo kitty (Oct 24)