Snort mailing list archives
Re: Using suppress and syntax
From: Joel Esler <jesler () sourcefire com>
Date: Thu, 20 May 2010 09:53:37 -0400
Bill, to answer your second question, yes, the way you have it should work just fine. On May 19, 2010, at 9:35 PM, Bill Pickens wrote:
Thanks Shawn,
It is a version issue for the first question.
suppress gen_id 1, sig_id 2009955, track by_dst, ip [172.16.1.120,172.16.1.121]
I just test it on:
Version 2.8.4.1 (Build 38) --- It didn, work!
Version 2.8.6 (Build 38) ---- It worked!
On Wed, May 19, 2010 at 5:49 PM, Jefferson, Shawn <Shawn.Jefferson () bcferries com> wrote:
Hi,
I’m doing this and it works:
suppress gen_id 1, sig_id 2009955, track by_dst, ip [172.16.1.120,172.16.1.121]
with Snort v.2.8.5.3
and I tested your suppress line and it worked for me as well (snort -T), no error message.
From: Bill Pickens [mailto:wmpickens () gmail com]
Sent: Wednesday, May 19, 2010 1:39 PM
To: snort-users () lists sourceforge net
Subject: [Snort-users] Using suppress and syntax
Hello Everyone,
I want to suppress a rule for a number of servers.
Can I do that?
I tried this an it gives me a parsing error:
suppress gen_id 1, sig_id 469, track by_dst, ip [10.106.88.29,10.102.128.1,10.103.128.2,172.17.17.150]
Also,
What would be the proper syntax for the the last line show here:
var ENT_DNS_SERVERS [10.101.1.1,10.103.1.2,10.105.3.4]
var LOCAL_DNS_SERVERS [172.6.5.4,172.8.7.3,172.6.6.6]
var DNS_SERVERS [$ENT_DNS_SERVERS,$LOCAL_DNS_SERVERS] <--- is this correct? snort doesn't complain
Thanks
Bill
------------------------------------------------------------------------------
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
-- Joel Esler
------------------------------------------------------------------------------
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Using suppress and syntax Bill Pickens (May 19)
- Re: Using suppress and syntax Jefferson, Shawn (May 19)
- Re: Using suppress and syntax Jason Wallace (May 19)
- Re: Using suppress and syntax Bill Pickens (May 19)
- Re: Using suppress and syntax Joel Esler (May 20)
- Re: Using suppress and syntax Jefferson, Shawn (May 19)