Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Exception to a rule pulled by pulledpork

From: waldo kitty <wkitty42 () windstream net>
Date: Mon, 31 Mar 2014 14:04:18 -0400
On 3/31/2014 2:58 AM, Ilja Schumacher wrote:
[...]

How can i tell snort that inbound SIP from that one specific IP is ok while not
modifying the rule of pulledpork because it will overwrite it anyways in next
update. Or will it not?


you want to use the snort threshold.conf to threshold the alerts generated by 
traffic from that IP...

eg:  suppress gen_id X, sig_id Y, track by_src, ip aaa.bbb.ccc.ddd

where 'X' is the GID for the rule you are suppressing, 'Y' is the SID from the 
rile you are suppressing and the IP is for the system generating the alerts you 
are wanting to suppress...

you can do more than just suppression... i suggest reading README.filter for 
more information ;)

-- 
NOTE: No off-list assistance is given without prior approval.
       Please keep mailing list traffic on the list unless
       private contact is specifically requested and granted.

------------------------------------------------------------------------------
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: