Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Reduce Alerts - Pulledpork

From: waldo kitty <wkitty42 () windstream net>
Date: Mon, 22 Jun 2015 11:27:41 -0400
On 06/22/2015 10:35 AM, Cameron wrote:

Because I used Pulledpork and have just one rules file (snort.rules). I cannot
seem to figure out how to minimize the alerts by turning off some rules like you
can if I did not use Pulledpork.


the best think is to configure pulledpork to disable those rules you do not want 
or need to see... i think the disablesid file will be helpful for you...


Is there perhaps a way to configure the snort.conf file so that it has a certain
threshold? My plan is to go ahead and implement a mail server to relay some of
the more critical alerts but I need to trim these down before I can go ahead and
do that.


there is the threshold.conf file that can be used to threshold rules... IIRC, 
the problem with using threshold.conf to stop alerts from some rules completely 
is that the rules are still loaded into memory and they are still processed 
which means that they still take time and resources... depending on the rule, it 
is best to disable it if you can...

-- 
  NOTE: No off-list assistance is given without prior approval.
        *Please keep mailing list traffic on the list* unless
        private contact is specifically requested and granted.

------------------------------------------------------------------------------
Monitor 25 network devices or servers for free with OpManager!
OpManager is web-based network management software that monitors 
network devices and physical & virtual servers, alerts via email & sms 
for fault. Monitor 25 devices for free with no restriction. Download now
http://ad.doubleclick.net/ddm/clk/292181274;119417398;o
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: