Snort mailing list archives
Re: Supressing alerts.
From: Matt Kettler <mkettler () evi-inc com>
Date: Mon, 28 Feb 2005 13:21:15 -0500
At 09:14 AM 2/28/2005, chubeshoi () chubes com wrote:
Are generating too many alerts. I have attempted to suppress these alerts in my snort.conf file like the following:suppress gen_id 1, sig_id 27: suppress gen_id 1, sig_id 19: suppress gen_id 1, sig_id 4:But those alerts keep on flooding my SQL database. Am I using the correct signature ID numbers? I don't know what else to try.
Well, you are close, but you wrong gen_id's.. generator 1 is the rules, and no preprocessor generated alerts will match.
[snort] (portscan) Open Port unclassified [snort] (portscan) UDP Portsweep unclassifiedsfportscan is generator 122 so you need to suppress gen_id 122 with sig_id 27 and 19.
[snort] (http_inspect) BARE BYTE UNICODE ENCODING http_inspect is generator 119 so you need to suppress gen_id 119 sig_id 4 Try these instead: suppress gen_id 122, sig_id 27: suppress gen_id 122, sig_id 19: suppress gen_id 119, sig_id 4: ------------------------------------------------------- SF email is sponsored by - The IT Product Guide Read honest & candid reviews on hundreds of IT Products from real users. Discover which products truly live up to the hype. Start reading now. http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Supressing alerts. chubeshoi (Feb 28)
- Re: Supressing alerts. Matt Kettler (Feb 28)
- Re: Supressing alerts. mdpeters (Feb 28)
- Re: Supressing alerts. Matt Kettler (Feb 28)
- Re: Supressing alerts. mdpeters (Feb 28)
- Re: Supressing alerts. Matt Kettler (Feb 28)