Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Preprocessing rule blocking

From: waldo kitty <wkitty42 () windstream net>
Date: Fri, 24 May 2013 11:01:44 -0400
On 5/24/2013 09:00, SnortFan wrote:

I decided to try to suppress using:

Suppress gen_id 137, sig_id 1


that looks correct... i don't think case matters but all of my threshold.conf 
entries are lowercase...


But suppression doesn't seem to work, after restarting snort the alerts still get through.


gotta ask... you are looking at new entries after making the threshold.conf 
change and restarting your snort, correct?


If I try at the snort.conf by commenting out the preprocessor wouldn't I be suppressing all SSL alerts?


yes, that's why i pointed you to the preprocessor.rules stub file in 
/path/to/your/preproc_rules directory ;)


Thanks,

Sent from a mobile device.

On May 23, 2013, at 8:00 PM, waldo kitty<wkitty42 () windstream net>  wrote:


On 5/23/2013 15:15, SnortFan wrote:

Hi All,
     If I want to limit or block all reporting on Snort Alert [137:1:0]

Would this work to limit it to one for every minute via the threshold.conf. Is there an easy way to block it all 
together?

event_filter \
    gen_id 137, sig_id 1, \
    type limit, track by_src, \
    count 1, seconds 60


yes, that will limit is to one alert every minute...

to disable it completely, you might comment the rule out in your
preproc_rules/preprocessor.rules file if you are using that... i /think/ that's
where the stub is located...


-- 
NOTE: No off-list assistance is given without prior approval.
       Please keep mailing list traffic on the list unless
       private contact is specifically requested and granted.

------------------------------------------------------------------------------
Try New Relic Now & We'll Send You this Cool Shirt
New Relic is the only SaaS-based application performance monitoring service 
that delivers powerful full stack analytics. Optimize and monitor your
browser, app, & servers with just a few lines of code. Try New Relic
and get this awesome Nerd Life shirt! http://p.sf.net/sfu/newrelic_d2d_may
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: