Snort mailing list archives
Re: threshold.conf global suppression by IP
From: Victor Roemer <viroemer () cisco com>
Date: Fri, 9 Sep 2016 15:38:15 -0400
IIRC gen_id 0, sig_id 0 was added a few years ago. Make sure your running the latest version (2.9.8.3).
On 9/9/16 12:41 PM, Y M wrote:
Hmm, the documentation clearly states that gen_id 0, sig_id 0 can be used with suppress. Can you get exactly what causing the service to not run?I just did a quick test and snort seems to run fine. I put this in my threshold.confsuppress gen_id 0, sig_id 0 YM ------------------------------------------------------------------------ *From:* Mitch Gates <MGates () americanbus com> *Sent:* Friday, September 9, 2016 7:31 PM *To:* Y M *Cc:* snort-users () lists sourceforge net *Subject:* RE: [Snort-users] threshold.conf global suppression by IP When i try to suppress gen_id 0, sig_id 0 snort service will not start Sent from my Verizon, Samsung Galaxy smartphone -------- Original message -------- From: Y M <snort () outlook com> Date: 9/9/16 11:22 AM (GMT-06:00) To: Mitch Gates <MGates () americanbus com> Cc: snort-users () lists sourceforge net Subject: Re: [Snort-users] threshold.conf global suppression by IPYes you can set a global filter among all rule types (text, so, etc). To do this, your event_filter should have:gen_id 0, sig_id 0 If you want to address text rules only, then gen_id 1, sig_id 0 and so on. YM Sent from MobileOn Fri, Sep 9, 2016 at 7:16 PM +0300, "Mitch Gates" <MGates () americanbus com <mailto:MGates () americanbus com>> wrote:Is there any way I can suppress events globally from a dst or src ip rather than defining each individual gen id and sig id I want to suppress?------------------------------------------------------------------------------ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- threshold.conf global suppression by IP Mitch Gates (Sep 09)
- Re: threshold.conf global suppression by IP Y M (Sep 09)
- <Possible follow-ups>
- Re: threshold.conf global suppression by IP Mitch Gates (Sep 09)
- Re: threshold.conf global suppression by IP Y M (Sep 09)
- Re: threshold.conf global suppression by IP Victor Roemer (Sep 09)
- Re: threshold.conf global suppression by IP Mitch Gates (Sep 12)
- Re: threshold.conf global suppression by IP Y M (Sep 12)
- Re: threshold.conf global suppression by IP Mitch Gates (Sep 12)
- Re: threshold.conf global suppression by IP wkitty42 (Sep 12)
- Re: threshold.conf global suppression by IP Y M (Sep 12)
- Re: threshold.conf global suppression by IP James Lay (Sep 12)
- Re: threshold.conf global suppression by IP Y M (Sep 09)