Re: alert suppression

[Pedro Marinho <pppmarinho () gmail com>]

Hello Jefferson,

> Searching on the IP address in the tagged packet, like Greg suggested and
then sorting them >by timestamp shows that this alert and a couple of tagged
packets all have the same src/dst >IP and port and timestamp in BASE.

> Now I know what they are, I don't want to get rid of them from showing up
in BASE. ;)

> Thanks,
> Shawn

I know a way to get rid of it on base; Log in at mysql
use databasesnort;

First you have to figure it out what is the sig_id of this

select sig_id from signature where sig_name = 'tag: tagged packet';

this query will return a number like 435 for example
then u do another query with the number from the previously query

delete from event where signature = 435;
delete from acid_event where signature = 435;

ps: be carefull!! this will delete all alerts that have the signature msg
"tag: tagged packet" from snort database

------------------------------------------------------------------------------
The NEW KODAK i700 Series Scanners deliver under ANY circumstances! Your
production scanning environment may not be a perfect world - but thanks to
Kodak, there's a perfect scanner to get the job done! With the NEW KODAK i700
Series Scanner you'll get full speed at 300 dpi even with all image 
processing features enabled. http://p.sf.net/sfu/kodak-com

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users