Snort mailing list archives
Suppressing gen_id 116
From: snort user <snortuser2000 () yahoo com>
Date: Tue, 20 Jul 2004 10:33:48 -0700 (PDT)
I running snort 2.1.3 and I am trying to suppress the following snort_decoder alerts using the thresholding functionality: (snort_decoder) WARNING: Bad Token Ring MR Header! (snort_decoder) WARNING: Bad Token Ring ETHLLC Header! (snort_decoder) WARNING: Bad Token Ring MRLENHeader! My threshold.conf file look like this: suppress gen_id 116, sig_id 141 suppress gen_id 116, sig_id 142 suppress gen_id 116, sig_id 143 I have 'include threshold.conf' in my snort.conf. When I load snort, not in daemon mode, I see the rules load, but the events still get logged to my database. The only way I have been able to turn them off is to set the following option in snort.conf: config disable_decode_alerts Can anyone tell me why suppression is not working for me? Is my gen_id wrong? sig_id? TIA. __________________________________ Do you Yahoo!? Vote for the stars of Yahoo!'s next ad campaign! http://advision.webevents.yahoo.com/yahoo/votelifeengine/ ------------------------------------------------------- This SF.Net email is sponsored by OSTG. Have you noticed the changes on Linux.com, ITManagersJournal and NewsForge in the past few weeks? Now, one more big change to announce. We are now OSTG- Open Source Technology Group. Come see the changes on the new OSTG site. www.ostg.com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Suppressing gen_id 116 snort user (Jul 21)
- <Possible follow-ups>
- Suppressing gen_id 116 snort user (Aug 04)
- Re: Suppressing gen_id 116 Brian (Aug 05)