Snort mailing list archives

Suppressing gen_id 116

From: snort user <snortuser2000 () yahoo com>
Date: Wed, 21 Jul 2004 13:19:44 -0700 (PDT)

I running snort 2.1.3 and I am trying to suppress the
following snort_decoder alerts using the thresholding
functionality:

(snort_decoder) WARNING: Bad Token Ring MR Header!
(snort_decoder) WARNING: Bad Token Ring ETHLLC Header!
(snort_decoder) WARNING: Bad Token Ring MRLENHeader!

My threshold.conf file look like this:

suppress gen_id 116, sig_id 141
suppress gen_id 116, sig_id 142
suppress gen_id 116, sig_id 143

I have 'include threshold.conf' in my snort.conf. 
When I load snort, not in daemon mode, I see the rules
load, but the events still get logged to my database. 
The only way I have been able to turn them off is to
set the following option in snort.conf:

config disable_decode_alerts

Can anyone tell me why suppression is not working for
me?  Is my gen_id wrong? sig_id?

TIA.


        
                
__________________________________
Do you Yahoo!?
Vote for the stars of Yahoo!'s next ad campaign!
http://advision.webevents.yahoo.com/yahoo/votelifeengine/


-------------------------------------------------------
This SF.Net email is sponsored by BEA Weblogic Workshop
FREE Java Enterprise J2EE developer tools!
Get your free copy of BEA WebLogic Workshop 8.1 today.
http://ads.osdn.com/?ad_id=4721&alloc_id=10040&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Suppressing gen_id 116 snort user (Jul 21)
- <Possible follow-ups>
- Suppressing gen_id 116 snort user (Aug 04)
  - Re: Suppressing gen_id 116 Brian (Aug 05)