doug at ...10143...
Mon Sep 22 13:01:02 EDT 2003
I'm trying to suppress or threshold a particular rule with snort 2.0.2.
I've read the README.thresholding over and am attempting the following
rule is sid:483 (the cyberkit..i'm trying to squelch welchia a bit)
I put in a line in snort.conf for rules in local-limits.rules
the file itself says:
suppress gen_id 1, sig_id 483
suppress gen_id 1, sig_id 483, track by_dst, ip x.x.x.x/x
threshold gen_id 1, sig_id 483, type threshold, track by_src, count 3,
threshold gen_id 1, sig_id 483, type threshold, track by_dst, count 3,
none of them seem to stem the flow at all (outputting in unified
format, reading fast.alert from barnyard output)
I have not removed rule 483.
Anyone know what I might be doing wrong?
Doug Nordwall doug at ...10143...
pgp fingerprint: 3CC7 B302 CB87 BCF3 F080 DF9D 43DF A123 D9D3 074E
More information about the Snort-users