[Snort-users] Suppression how-to help

Bradberry, John BradberryJ at ...2147...
Tue Dec 23 10:40:03 EST 2003


Hello:

We're trying to completely suppress Vecna scan events generated by
spp_stream4 (GID 111, SID 11) from a particular net range.

The configuration we're using is:

# Supress Vecna scan false-alarms from Data Link Switch traffic:
suppress gen_id 111, sig_id 11, track by_src, ip 10.8.0.0/16;

The startup log:
SUPPRESS: gen_id=111, sig_id=11, tracking=0,  ip=10.8.0.0,
mask=255.255.0.0

However, the events keep getting logged!

Recommendations to correct this problem will be appreciated.

Thank you.

John Bradberry
The Greentree Group




More information about the Snort-users mailing list