Snort mailing list archives
Thresholding and suppression
From: "Lance Boon" <lboon () firststatebanksw com>
Date: Thu, 14 Oct 2004 16:37:07 -0500
I've run into something strange when using the threshold.conf file, if I try to: suppress gen_id 1, sig_id 716, track by_src, ip x.x.x.x all alerts that are generated for telnet access to that specific ip address are suppressed as expected, but if I try to telnet to a jet direct box I would think that alerts should be generated for that sig as the ip addressis different but I don't see any alerts generated... Everything else is working correctly I'm using snort 2.2/latest ruleset/barnyard 0.2.0. I've got my home net set to x.x.x.x/20 and var EXTERNAL_NET !$HOME_NET with an ip in the var TELNET_SERVERS [x.x.x.x] Am I just missing something?
Attachment:
smime.p7s
Description:
Current thread:
- RE: Thresholding and suppression Lance Boon (Oct 15)
- <Possible follow-ups>
- Thresholding and suppression Lance Boon (Oct 15)
- Re: Thresholding and suppression sekure (Oct 15)
- Re: Thresholding and suppression Paul Schmehl (Oct 15)