Re: Performance and rule tuning

["Jefferson, Shawn" <Shawn.Jefferson () bcferries com>]

Hi,

I've read through the README and I still have a question.. what should the gen_id of "ftp_pp: FTP command channel 
encrypted" be?  125 or 1 ?

My suppress rule looks like:

suppress gen_id 125, sig_id 7

Thanks,
Shawn

-----Original Message-----
From: Joel Esler [mailto:eslerj () gmail com]
Sent: December 03, 2008 1:34 PM
To: Jefferson, Shawn
Cc: Snort-users () lists sourceforge net
Subject: Re: [Snort-users] Performance and rule tuning


On Dec 3, 2008, at 2:57 PM, Jefferson, Shawn wrote:

> One more question about rule tuning:
>
> I am getting some false positives from the ftp pre-processor.  How
> do I suppress these without disabling the pre-processor altogether?

Threshold and Suppression commands.  Take a look at the
README.threshold in the doc/ directory of your Snort tarball, also
take a look at the threshold.conf file in the etc/ directory of your
Snort tarball.  You will see many examples on how to configure
Threshold and Suppression, in order to tune your system.

-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users