[Snort-users] thresholding: SMNP alerts

Steffen Maetzky (extern) Steffen.Maetzky at ...11508...
Thu Apr 15 08:57:06 EDT 2004


Hi,

I want to ignore warnings of 3 different IP's (test-server) and have
made the following entry into my threshold.conf which I've included into
snort.conf:

#SNMP public access udp
suppress gen_id 1, sig_id 1411, track by_src,ip [<IP1> <IP2> <IP3>]

restarting snort... 
no error message, but doesn't work

#SNMP public access udp
suppress gen_id 1, sig_id 1411, track by_src,ip [<IP1>, <IP2>, <IP3>]

restarting snort...
error message

Seems to me that's not possible to use an IP-list:

#SNMP public access udp
suppress gen_id 1, sig_id 1411, track by_src,ip <IP1>
suppress gen_id 1, sig_id 1411, track by_src,ip <IP2> 
suppress gen_id 1, sig_id 1411, track by_src,ip <IP3>

restarting snort...
no error message, but doesn't work

I think gen_id 1 (rules) should be right but I've also tried 121 without
success.

Does anyone know what's wrong?










More information about the Snort-users mailing list