RE: Can't suppress "(snort decoder) Bad Traffic Same Src/Dst IP"

["Paul Melson" <pmelson () gmail com>]

> I have 2 machines for which this traffic is "normal" I have looked for the
rule that 
> triggers SPECIFFICALLY this alert . I can't find it the SID is 1:151 but
there is no 
> matching description; this SID points to other alerts (BACKDOOR D e e p T
h r o a t 3.1 
> Client Sending Data to Server on Network). There is another BAD TRAFFIC
alert and I was able 
> to suppress that one. I was advised on the sonrt.org forum to upgrade from
2.4.0 to 2.4.1 
> but I made the jump to 2.4.2 and I am still getting overloaded with these
alerts. I have 
> tried the RTFM approach .. I have searched the snort forums and read
through any relevant 
> posts I can find .. All to no avail . any help would be greatly
appreciated.

These alerts are generated by the Snort decoder.  You can tune some aspects
of the decoder from your snort.conf file.  More here from TFM:

http://www.snort.org/docs/snort_htmanuals/htmanual_2.4/node10.html

(See Table 2.1)


PaulM



-------------------------------------------------------
This SF.Net email is sponsored by the JBoss Inc.
Get Certified Today * Register for a JBoss Training Course
Free Certification Exam for All Training Attendees Through End of 2005
Visit http://www.jboss.com/services/certification for more information
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users