Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Using suppress and syntax

From: Bill Pickens <wmpickens () gmail com>
Date: Wed, 19 May 2010 21:35:56 -0400
Thanks Shawn,
It is a version issue for the first question.

suppress gen_id 1, sig_id 2009955, track by_dst, ip
[172.16.1.120,172.16.1.121]
I just test it on:
              Version 2.8.4.1 (Build 38) --- It didn, work!
              Version 2.8.6 (Build 38) ---- It worked!



On Wed, May 19, 2010 at 5:49 PM, Jefferson, Shawn <
Shawn.Jefferson () bcferries com> wrote:


 Hi,



I’m doing this and it works:



suppress gen_id 1, sig_id 2009955, track by_dst, ip
[172.16.1.120,172.16.1.121]



with Snort v.2.8.5.3



and I tested your suppress line and it worked for me as well (snort -T), no
error message.


 ------------------------------

*From:* Bill Pickens [mailto:wmpickens () gmail com]
*Sent:* Wednesday, May 19, 2010 1:39 PM
*To:* snort-users () lists sourceforge net
*Subject:* [Snort-users] Using suppress and syntax



Hello Everyone,



I want to suppress a rule for a number of servers.

Can I do that?

I tried this an it gives me a parsing error:

suppress gen_id 1, sig_id 469, track by_dst, ip
[10.106.88.29,10.102.128.1,10.103.128.2,172.17.17.150]


Also,

What would be the proper syntax for the the last line show here:

var ENT_DNS_SERVERS [10.101.1.1,10.103.1.2,10.105.3.4]

var LOCAL_DNS_SERVERS [172.6.5.4,172.8.7.3,172.6.6.6]

var DNS_SERVERS [$ENT_DNS_SERVERS,$LOCAL_DNS_SERVERS]  <--- is this
correct? snort doesn't complain



Thanks

Bill




------------------------------------------------------------------------------


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: