Snort mailing list archives

Previous By Date Next
Previous By Thread Next

threshold and suppress ??

From: Andraz Sraka <a () aufbix org>
Date: Mon, 01 Mar 2004 19:49:06 +0100
re

I'm setting snort IDS for observing activity of a larger network ( of
size /19) and I like to suppress some events from trusted hosts that
snort reports as alerts. So I'm trying to suppress all alerts for some
trusted hosts that are doing GRE tunneling, since snort reports almost
every possible alert between too trusted hosts on GRE layer.

In threshold.conf I've putted something like this 

suppress gen_id 1, sig_id 0, track by_dst, ip x.x.x.y/32

but snort still generates alerts for this trusted host. So can I apply
suppress rule that suppress all events from specified IP ? 

regards,
 Andraz

-- 
BOFH excuse #265:

The mouse escaped.


-------------------------------------------------------
SF.Net is sponsored by: Speed Start Your Linux Apps Now.
Build and deploy apps & Web services for Linux with
a free DVD software kit from IBM. Click Now!
http://ads.osdn.com/?ad_id=1356&alloc_id=3438&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: