[Snort-users] Threshold/Suppression question

Jason Linden jlinden at ...10125...
Tue Nov 18 06:02:07 EST 2003


This may not be possible, but would be a great addition in the next
release.  I have started using thresholding and suppression standalone
commands and they are working great, kudos to Marc for job well done!
My one problem is I would like to set a couple up with a negate ip
address, ie suppress gen_id 1, sig_id 1000000, track by_dst, ip
!x.x.x.x/32.  When I start snort I see, SUPPRESS: gen_id=1,
sig_id=1000000, tracking=1,  ip=255.255.255.255, mask=255.255.255.255.
I have snort setup with multiple interfaces and use the same ruleset for
all snort instances so I don't really want to customize the rule itself.
I have a different threshold.conf for each different instance.  Anyone
have an idea how I can make this work?
 
Thanks!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20031118/6997ebd2/attachment.html>


More information about the Snort-users mailing list