[Snort-users] Suppressing gen_id 116

Brian bmc at ...950...
Thu Aug 5 07:10:06 EDT 2004


On Tue, Jul 20, 2004 at 10:33:48AM -0700, snort user wrote:
> I running snort 2.1.3 and I am trying to suppress the
> following snort_decoder alerts using the thresholding
> functionality:
> 
> (snort_decoder) WARNING: Bad Token Ring MR Header!
> (snort_decoder) WARNING: Bad Token Ring ETHLLC Header!
> (snort_decoder) WARNING: Bad Token Ring MRLENHeader!
> 
> My threshold.conf file look like this:
> 
> suppress gen_id 116, sig_id 141
> suppress gen_id 116, sig_id 142
> suppress gen_id 116, sig_id 143

Suppression doesn't work on alerts on packets without valid IP
headers.  I logged this as a bug a while ago and submitted a patch
that fixes it for me.  We'll see when a fix for the bug is accepted.

-brian




More information about the Snort-users mailing list