[Snort-users] RE: problem with suppress...

Graeme Rider Graeme.Rider at ...12106...
Thu Jul 15 15:43:11 EDT 2004


Sekure,
	what we have are connections to external trading partners coming
over ipsec vpn's..these addresses are not part of $HOME_NET so l am trying
to suppress alerts on the traffic that l would not to be classed as an
attack or recce. type but still be alerted on other types...if l used a pass
rule then l may miss a genuine alert..
l have also tried the suppress rule http_inspect (gen_id 119) and still
recieve the alerts...obviously from what l have read and what others are
saying it is something l am doing or not doing..
regards
graeme

-----Original Message-----
From: sekure [mailto:sekure at ...11827...]
Sent: Thursday, 15 July 2004 11:04 PM
To: Graeme Rider
Cc: Tobias Rice; snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] RE: problem with suppress...


Graeme,

You don't need the -o flag for suppression to work.  -o is used for
when you have "pass" rules.  Suppression and thresholding should work
without it.

Rule 384 is a very generic "ICMP Ping".  Is this the rule that keeps
triggering or are you trying to supperss ALL Ping events with that
statement?  The reason I ask is that there are many many ICMP Ping
signatures.  Are you absolutely sure that it is sig id 384 that keeps
showing and not other ping signatures?

On Thu, 15 Jul 2004 08:43:02 +1000, Graeme Rider
<graeme.rider at ...12106...> wrote:
> 
> Tobias,
>        yes...l was not initially but then saw a reference to this flag in
> the 'pass' requirements...
> the suppress rule that l am using is in the local.rules file:
>        suppress gen_id 1,sig_id 384
> regards
> graeme

This email and any attachments may contain privileged and confidential information and are intended for the named addressee only. If you have received this e-mail in error, please notify the sender and delete this e-mail immediately. Any confidentiality, privilege or copyright is not waived or lost because this e-mail has been sent to you in error. It is your responsibility to check this e-mail and any attachments for viruses.  No warranty is made that this material is free from computer virus or any other defect or error.  Any loss/damage incurred by using this material is not the sender's responsibility.  The sender's entire liability will be limited to resupplying the material.




More information about the Snort-users mailing list