thresholding: SMNP alerts

[Steffen "Maetzky (extern)" <Steffen.Maetzky () gedas de>]

Hi,

I want to ignore warnings of 3 different IP's (test-server) and have
made the following entry into my threshold.conf which I've included into
snort.conf:

#SNMP public access udp
suppress gen_id 1, sig_id 1411, track by_src,ip [<IP1> <IP2> <IP3>]

restarting snort... 
no error message, but doesn't work

#SNMP public access udp
suppress gen_id 1, sig_id 1411, track by_src,ip [<IP1>, <IP2>, <IP3>]

restarting snort...
error message

Seems to me that's not possible to use an IP-list:

#SNMP public access udp
suppress gen_id 1, sig_id 1411, track by_src,ip <IP1>
suppress gen_id 1, sig_id 1411, track by_src,ip <IP2> 
suppress gen_id 1, sig_id 1411, track by_src,ip <IP3>

restarting snort...
no error message, but doesn't work

I think gen_id 1 (rules) should be right but I've also tried 121 without
success.

Does anyone know what's wrong?








-------------------------------------------------------
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users