Snort mailing list archives

Re: Suppress alerts

From: Joel Esler <joel.esler () sourcefire com>
Date: Tue, 18 Oct 2005 11:00:15 -0400

We need a bit more info that what you've provided.

Joel


On Oct 18, 2005, at 10:53 AM, Peter Rodger wrote:

Hi all,

Can anyone point out what's wrong with my config?  The
alerts are still not suppressed.

I am just too overwhelmed with this.

Any help will be greatly appreciated.

Thanks,

Peter

Note: forwarded message attached.




__________________________________
Yahoo! Music Unlimited
Access over 1 million songs. Try it free.
http://music.yahoo.com/unlimited/
From: Peter Rodger <prodger2008 () yahoo com>
Date: October 17, 2005 2:35:26 PM EDT
To: Joel Esler <joel.esler () sourcefire com>
Cc: s <snort-users () lists sourceforge net>
Subject: Re: [Snort-users] Suppress alerts


Joel,

Thanks for the info and help.  The threshold.conf file
is in /snort/etc directory following the instruction
in snort.conf file. (the file in the /etc and /rules
folder) Even I change threshold.conf in the \rules
directory, the result is still same.

Please see the attached snort.conf and threshold.conf
files in the \snort\etc folder.

I did change threshold.conf in both /etc and /rules
folders and include d:\win-ds\snort\etc\threshold.conf
in the snort.conf file.
Still can not surppess these alerts?

Let me know what's wrong with my config?  I can not
fighure out why?

Thanks again,

Peter



--- Joel Esler <joel.esler () sourcefire com> wrote:

The threshold.conf is probably in your /rules
directory.  (The
directory is located in your snort.conf  Search your
snort.conf for
"threshold.conf" and you'll see the include
statement.

The Generator ID and SID are located in gid-msg.map
and sid-msg.map.
Probably in your rules directory.

Joel Esler
SOURCEfire


On Oct 17, 2005, at 1:06 PM, Peter Rodger wrote:

Bruce,

Thanks!  I am running Snort on windows too.   I'm
using IIS6, MSSQL, PHP, and BASE on windows2003.
BTW, I just found out that the threshold.conf file

is

in two plases: one is in \snort\etc folder;

another is

in \snort\rules folder.  Which one should I

change?

I changed the one in \snort\etc folder.

How do you get genenator ID or SID?

Thanks again,

Peter
--- "Briggs, Bruce" <Bruce.Briggs () suny edu> wrote:

Yes I did see your Friday e-mail.

I am running Snort on Windows and do not have

your

problem.

Also you do not need to reboot your Snort machine
when making a config
change - just stop & restart Snort.

What Snort version?
What other support tools are you using - such as

web

server & logging
database & alert viewer?
I'm using Apache, MySQL, PHP, and BASE.

Bruce


-----Original Message-----
From: Peter Rodger [mailto:prodger2008 () yahoo com]
Sent: Monday, October 17, 2005 11:52 AM
To: Briggs, Bruce
Subject: Fwd: RE: [Snort-users] Suppress alerts

Bruce,

Did you check this message I sent you last

Friday?


The snort.conf is the right file I changed.

What could go wrong with it?

Thanks so much,

Peter
Note: forwarded message attached.





__________________________________
Yahoo! Mail - PC Magazine Editors' Choice 2005
http://mail.yahoo.com






__________________________________
Yahoo! Mail - PC Magazine Editors' Choice 2005
http://mail.yahoo.com

-------------------------------------------------------

This SF.Net email is sponsored by:
Power Architecture Resource Center: Free content,

downloads,

discussions,
and more.

http://solutions.newsforge.com/ibmarch.tmpl

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or

unsubscribe:

https://lists.sourceforge.net/lists/listinfo/snort-users

Snort-users list archive:

http://www.geocrawler.com/redir-sf.php3?list=snort-users

-------------------------------------------------------

This SF.Net email is sponsored by:
Power Architecture Resource Center: Free content,
downloads, discussions,
and more.
http://solutions.newsforge.com/ibmarch.tmpl
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or
unsubscribe:

https://lists.sourceforge.net/lists/listinfo/snort-users

Snort-users list archive:

http://www.geocrawler.com/redir-sf.php3?list=snort-users






__________________________________
Yahoo! Mail - PC Magazine Editors' Choice 2005
http://mail.yahoo.com
<snort.conf>
<threshold.conf>

Current thread:

Suppress alerts Peter Rodger (Oct 14)
- Re: Suppress alerts Frank Knobbe (Oct 14)
  - Re: Suppress alerts Peter Rodger (Oct 17)
- <Possible follow-ups>
- RE: Suppress alerts Briggs, Bruce (Oct 14)
- RE: Suppress alerts Briggs, Bruce (Oct 17)
- RE: RE: Suppress alerts Peter Rodger (Oct 17)
  - Re: Suppress alerts Joel Esler (Oct 17)
    - Re: Suppress alerts Peter Rodger (Oct 17)
- Fwd: Re: Suppress alerts Peter Rodger (Oct 18)
  - Re: Suppress alerts Joel Esler (Oct 18)
    - Re: Suppress alerts Peter Rodger (Oct 18)
    - Re: Suppress alerts Frank Knobbe (Oct 18)
  - Re: Fwd: Re: Suppress alerts João Mota (Oct 18)
    - Re: Fwd: Re: Suppress alerts Peter Rodger (Oct 18)
    - RE: Fwd: Re: Suppress alerts Patrick Harper (Oct 18)
    - RE: Fwd: Re: Suppress alerts Peter Rodger (Oct 18)
    - Re: Fwd: Re: Suppress alerts João Mota (Oct 19)
    - Re: Fwd: Re: Suppress alerts Peter Rodger (Oct 19)
    - Re: Fwd: Re: Suppress alerts Peter Rodger (Oct 19)
- Re: Fwd: Re: Suppress alerts Peter Rodger (Oct 20)

(Thread continues...)