[Snort-users] Signature question...

Jeff Penn jeff+dated+1075235701.a86d1c at ...11069...
Tue Jan 27 22:41:11 EST 2004


On Tue, Jan 20, 2004 at 08:35:05PM -0500, Jeff Kell wrote:
> I am in the process of "tuning" our signatures to rule out false 
> positives (e.g., FrontPage alerts on fully-patched machines).  I do not 
> want to disable the signature completely (although I do know how to do 
> that), but merely "pass" on the check if it is one of our known patched 
> servers.

I believe the suppress command defined in threshold.conf is what you are
looking for:

suppress gen_id 1, sig_id 1852, track by_dst, ip 10.1.1.0/24

Jeff




More information about the Snort-users mailing list