Snort mailing list archives
Re: Exception to a rule pulled by pulledpork
From: waldo kitty <wkitty42 () windstream net>
Date: Mon, 31 Mar 2014 14:04:18 -0400
On 3/31/2014 2:58 AM, Ilja Schumacher wrote: [...]
How can i tell snort that inbound SIP from that one specific IP is ok while not modifying the rule of pulledpork because it will overwrite it anyways in next update. Or will it not?
you want to use the snort threshold.conf to threshold the alerts generated by traffic from that IP... eg: suppress gen_id X, sig_id Y, track by_src, ip aaa.bbb.ccc.ddd where 'X' is the GID for the rule you are suppressing, 'Y' is the SID from the rile you are suppressing and the IP is for the system generating the alerts you are wanting to suppress... you can do more than just suppression... i suggest reading README.filter for more information ;) -- NOTE: No off-list assistance is given without prior approval. Please keep mailing list traffic on the list unless private contact is specifically requested and granted. ------------------------------------------------------------------------------ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Exception to a rule pulled by pulledpork Ilja Schumacher (Mar 31)
- Re: Exception to a rule pulled by pulledpork Jeremy Hoel (Mar 31)
- Re: Exception to a rule pulled by pulledpork waldo kitty (Mar 31)