Snort mailing list archives

Re: Snort rules help

From: Joel Esler <jesler () sourcefire com>
Date: Tue, 8 Jun 2010 09:19:36 -0400

My suggestion is to look into suppression.  Check README.thresholding in the doc/ directory of the Snort tarball


9:07 AM, on Jun 8, 2010, wrote:

Hi all,

I am getting may false alerts (spp_ssh) Protocol mismatch from 1 machine we use to scan our machines for open ports. 
I have tried everything I can think of so as not too have these alerts show up in BASE. All the alertds come from 1 
IP Address so is there anything I can do so that they don't get written to the DB.


--
Joel Esler
302-223-5974
Jabber: jesler () sourcefire com


------------------------------------------------------------------------------
ThinkGeek and WIRED's GeekDad team up for the Ultimate 
GeekDad Father's Day Giveaway. ONE MASSIVE PRIZE to the 
lucky parental unit.  See the prize list and enter to win: 
http://p.sf.net/sfu/thinkgeek-promo
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Snort rules help Pat McNamara (Jun 08)
- Re: Snort rules help Joel Esler (Jun 08)
  - Message not available
    - Re: Snort rules help Joel Esler (Jun 08)