Snort mailing list archives
Re: Suppressing gen_id 116
From: Brian <bmc () snort org>
Date: Thu, 5 Aug 2004 10:09:41 -0400
On Tue, Jul 20, 2004 at 10:33:48AM -0700, snort user wrote:
I running snort 2.1.3 and I am trying to suppress the following snort_decoder alerts using the thresholding functionality: (snort_decoder) WARNING: Bad Token Ring MR Header! (snort_decoder) WARNING: Bad Token Ring ETHLLC Header! (snort_decoder) WARNING: Bad Token Ring MRLENHeader! My threshold.conf file look like this: suppress gen_id 116, sig_id 141 suppress gen_id 116, sig_id 142 suppress gen_id 116, sig_id 143
Suppression doesn't work on alerts on packets without valid IP headers. I logged this as a bug a while ago and submitted a patch that fixes it for me. We'll see when a fix for the bug is accepted. -brian ------------------------------------------------------- This SF.Net email is sponsored by OSTG. Have you noticed the changes on Linux.com, ITManagersJournal and NewsForge in the past few weeks? Now, one more big change to announce. We are now OSTG- Open Source Technology Group. Come see the changes on the new OSTG site. www.ostg.com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Suppressing gen_id 116 snort user (Jul 21)
- <Possible follow-ups>
- Suppressing gen_id 116 snort user (Aug 04)
- Re: Suppressing gen_id 116 Brian (Aug 05)