problem tuning out one particular rule

["Youngquist, Jason R." <jryoungquist () ccis edu>]

So I've been doing some Snort tuning over the last couple weeks.  I'm using Snort 2.9.0.4, Barnyard2, and PulledPork 
0.5.  There's this one event signature "WEB-CLIENT Portable Executable binary file transfer" (sid: 15306) and I've been 
trying to tune it out, but it still keeps on firing.

I have it in the disablesid.conf
# WEB-CLIENT Portable Executable binary file transfer
1:15306

I also put it in the threshold.conf as well
# ignore these WEB-CLIENT Portable Executable binary file transfer
suppress gen_id 1, sig_id 15306, track by_src, ip 10.0.0.0/8

Yet, the rule keeps firing.  All of the other rules I've ignored using the methods above have worked, so not sure 
what's different about this particular rule.

Thoughts?

Thanks.
Jason Youngquist
Information Technology Security Engineer
Technology Services
Columbia College
1001 Rogers Street, Columbia, MO  65216
(573) 875-7334
jryoungquist () ccis edu<mailto:jryoungquist () ccis edu>
http://www.ccis.edu<http://www.ccis.edu/>


------------------------------------------------------------------------------
Create and publish websites with WebMatrix
Use the most popular FREE web apps or write code yourself; 
WebMatrix provides all the features you need to develop and 
publish your website. http://p.sf.net/sfu/ms-webmatrix-sf

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users