[Snort-users] Threshold/Suppression question
jlinden at ...10125...
Tue Nov 18 06:02:07 EST 2003
This may not be possible, but would be a great addition in the next
release. I have started using thresholding and suppression standalone
commands and they are working great, kudos to Marc for job well done!
My one problem is I would like to set a couple up with a negate ip
address, ie suppress gen_id 1, sig_id 1000000, track by_dst, ip
!x.x.x.x/32. When I start snort I see, SUPPRESS: gen_id=1,
sig_id=1000000, tracking=1, ip=255.255.255.255, mask=255.255.255.255.
I have snort setup with multiple interfaces and use the same ruleset for
all snort instances so I don't really want to customize the rule itself.
I have a different threshold.conf for each different instance. Anyone
have an idea how I can make this work?
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-users