Snort mailing list archives
Threshold/Suppression question
From: "Jason Linden" <jlinden () uakron edu>
Date: Tue, 18 Nov 2003 09:01:19 -0500
This may not be possible, but would be a great addition in the next release. I have started using thresholding and suppression standalone commands and they are working great, kudos to Marc for job well done! My one problem is I would like to set a couple up with a negate ip address, ie suppress gen_id 1, sig_id 1000000, track by_dst, ip !x.x.x.x/32. When I start snort I see, SUPPRESS: gen_id=1, sig_id=1000000, tracking=1, ip=255.255.255.255, mask=255.255.255.255. I have snort setup with multiple interfaces and use the same ruleset for all snort instances so I don't really want to customize the rule itself. I have a different threshold.conf for each different instance. Anyone have an idea how I can make this work? Thanks!
Current thread:
- Threshold/Suppression question Jason Linden (Nov 18)