Snort mailing list archives
Re: Thresholding & Suppressing
From: Jeremy Hoel <jthoel () gmail com>
Date: Thu, 1 Aug 2013 15:30:28 -0600
Suppress, as you can see, only works with one flag or the other. you could write a pass rule in the local.rules to allow this traffic between those ports and ip's you could also write a bpf to use to have snort ignore that traffic and port completely. i myself tend to write pass rules when I need this, but that's just me. On Thu, Aug 1, 2013 at 3:03 PM, Turnbough, Bradley E. <bturnbough () belcan com> wrote:
Guys, I'm looking to completely suppress an alert from one specific IP to another specific IP, but I want to alert on others. Is this possible? I tried: suppress gen_id 1, sig_id 1948, track by_src, ip 1.2.3.4/32, track by_dst, ip 5.6.7.8/32 But I get: "ERROR: threshold.conf(60) suppress has extra option of type: track. Fatal Error, Quitting.." It appears I can either suppress by source OR by destination, but I need BOTH. Ideas? Brad _____________________________________________________________ This e-mail transmission contains information that is confidential and may be privileged. It is intended only for the addressee(s) named above. If you receive this e-mail in error, please do not read, copy or disseminate it in any manner. If you are not the intended recipient, any disclosure, copying, distribution or use of the contents of this information is prohibited. Please reply to the message immediately by informing the sender that the message was misdirected. After replying, please erase it from your computer system. Your assistance in correcting this error is appreciated. ------------------------------------------------------------------------------ Get your SQL database under version control now! Version control is standard for application code, but databases havent caught up. So what steps can you take to put your SQL databases under version control? Why should you start doing it? Read more to find out. http://pubads.g.doubleclick.net/gampad/clk?id=49501711&iu=/4140/ostg.clktrk _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------ Get your SQL database under version control now! Version control is standard for application code, but databases havent caught up. So what steps can you take to put your SQL databases under version control? Why should you start doing it? Read more to find out. http://pubads.g.doubleclick.net/gampad/clk?id=49501711&iu=/4140/ostg.clktrk _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Thresholding & Suppressing Turnbough, Bradley E. (Aug 01)
- Re: Thresholding & Suppressing Jeremy Hoel (Aug 01)