Re: suppressing alert...

[waldo kitty <wkitty42 () windstream net>]

no one has any comment on this??


On 9/17/2010 14:39, waldo kitty wrote:
> if you have more than one IP that you want to suppress an alert for, is it
> better to use multiple lines or list all the addresses (and CIDRs) on one line?
>
> example 1:
> suppress gen_id 1, sig_id 1, track by_src, ip 1.1.1.1
> suppress gen_id 1, sig_id 1, track by_src, ip 2.2.2.2
>
>
> example 2:
> suppress gen_id 1, sig_id 1, track by_src, ip [1.1.1.1,2.2.2.2]
>
>
> i'm undecided and tend to lean more toward example 1 mainly due to the
> manageability aspects... consider a large list of IPs and trying to locate and
> remove just one...
>
>
> in using the example 1 format, i note that snort 2.8.6.1 shows two suppression
> lines exactly the same but displays "<list>" for the IPs instead of listing the
> actual IPs and/or CIDRs given...
>
> [quote]
> Sep 17 14:02:50 perseus snort[14304]:
> +-----------------------[suppression]------------------------------------------
> Sep 17 14:02:50 perseus snort[14304]: | gen-id=1      sig-id=1
> tracking=src-ip=<list>
> Sep 17 14:02:50 perseus snort[14304]: | gen-id=1      sig-id=1
> tracking=src-ip=<list>
> Sep 17 14:02:50 perseus snort[14304]:
> -------------------------------------------------------------------------------
> [/quote]
>
> using the example 2 format gets one line but still displays "<list>" instead of
> the actual IPs and/or CIDRs...
>
> BUG??


------------------------------------------------------------------------------
Start uncovering the many advantages of virtual appliances
and start using them to simplify application deployment and
accelerate your shift to cloud computing.
http://p.sf.net/sfu/novell-sfdev2dev
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users