Snort mailing list archives

Re: Suppress alerts

From: Joel Esler <joel.esler () sourcefire com>
Date: Mon, 17 Oct 2005 13:17:59 -0400

The threshold.conf is probably in your /rules directory. (Thedirectory is located in your snort.conf Search your snort.conf for"threshold.conf" and you'll see the include statement.

The Generator ID and SID are located in gid-msg.map and sid-msg.map.Probably in your rules directory.


Joel Esler
SOURCEfire


On Oct 17, 2005, at 1:06 PM, Peter Rodger wrote:

Bruce,

Thanks!  I am running Snort on windows too.   I'm
using IIS6, MSSQL, PHP, and BASE on windows2003.
BTW, I just found out that the threshold.conf file is
in two plases: one is in \snort\etc folder; another is
in \snort\rules folder.  Which one should I change?
I changed the one in \snort\etc folder.

How do you get genenator ID or SID?

Thanks again,

Peter
--- "Briggs, Bruce" <Bruce.Briggs () suny edu> wrote:

Yes I did see your Friday e-mail.

I am running Snort on Windows and do not have your
problem.

Also you do not need to reboot your Snort machine
when making a config
change - just stop & restart Snort.

What Snort version?
What other support tools are you using - such as web
server & logging
database & alert viewer?
I'm using Apache, MySQL, PHP, and BASE.

Bruce


-----Original Message-----
From: Peter Rodger [mailto:prodger2008 () yahoo com]
Sent: Monday, October 17, 2005 11:52 AM
To: Briggs, Bruce
Subject: Fwd: RE: [Snort-users] Suppress alerts

Bruce,

Did you check this message I sent you last Friday?

The snort.conf is the right file I changed.

What could go wrong with it?

Thanks so much,

Peter
Note: forwarded message attached.





__________________________________
Yahoo! Mail - PC Magazine Editors' Choice 2005
http://mail.yahoo.com






__________________________________
Yahoo! Mail - PC Magazine Editors' Choice 2005
http://mail.yahoo.com


-------------------------------------------------------
This SF.Net email is sponsored by:

Power Architecture Resource Center: Free content, downloads,discussions,

and more. http://solutions.newsforge.com/ibmarch.tmpl
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users




-------------------------------------------------------
This SF.Net email is sponsored by:
Power Architecture Resource Center: Free content, downloads, discussions,
and more. http://solutions.newsforge.com/ibmarch.tmpl
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Suppress alerts Peter Rodger (Oct 14)
- Re: Suppress alerts Frank Knobbe (Oct 14)
  - Re: Suppress alerts Peter Rodger (Oct 17)
- <Possible follow-ups>
- RE: Suppress alerts Briggs, Bruce (Oct 14)
- RE: Suppress alerts Briggs, Bruce (Oct 17)
- RE: RE: Suppress alerts Peter Rodger (Oct 17)
  - Re: Suppress alerts Joel Esler (Oct 17)
    - Re: Suppress alerts Peter Rodger (Oct 17)
- Fwd: Re: Suppress alerts Peter Rodger (Oct 18)
  - Re: Suppress alerts Joel Esler (Oct 18)
    - Re: Suppress alerts Peter Rodger (Oct 18)
    - Re: Suppress alerts Frank Knobbe (Oct 18)
  - Re: Fwd: Re: Suppress alerts João Mota (Oct 18)
    - Re: Fwd: Re: Suppress alerts Peter Rodger (Oct 18)
    - RE: Fwd: Re: Suppress alerts Patrick Harper (Oct 18)
    - RE: Fwd: Re: Suppress alerts Peter Rodger (Oct 18)
    - Re: Fwd: Re: Suppress alerts João Mota (Oct 19)

(Thread continues...)