Snort mailing list archives

Re: Suppressing gen_id 116

From: Brian <bmc () snort org>
Date: Thu, 5 Aug 2004 10:09:41 -0400

On Tue, Jul 20, 2004 at 10:33:48AM -0700, snort user wrote:

I running snort 2.1.3 and I am trying to suppress the
following snort_decoder alerts using the thresholding
functionality:

(snort_decoder) WARNING: Bad Token Ring MR Header!
(snort_decoder) WARNING: Bad Token Ring ETHLLC Header!
(snort_decoder) WARNING: Bad Token Ring MRLENHeader!

My threshold.conf file look like this:

suppress gen_id 116, sig_id 141
suppress gen_id 116, sig_id 142
suppress gen_id 116, sig_id 143


Suppression doesn't work on alerts on packets without valid IP
headers.  I logged this as a bug a while ago and submitted a patch
that fixes it for me.  We'll see when a fix for the bug is accepted.

-brian


-------------------------------------------------------
This SF.Net email is sponsored by OSTG. Have you noticed the changes on
Linux.com, ITManagersJournal and NewsForge in the past few weeks? Now,
one more big change to announce. We are now OSTG- Open Source Technology
Group. Come see the changes on the new OSTG site. www.ostg.com
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Suppressing gen_id 116 snort user (Jul 21)
- <Possible follow-ups>
- Suppressing gen_id 116 snort user (Aug 04)
  - Re: Suppressing gen_id 116 Brian (Aug 05)