[Snort-users] Suppressing gen_id 116

snort user snortuser2000 at ...131...
Wed Jul 21 13:20:05 EDT 2004


I running snort 2.1.3 and I am trying to suppress the
following snort_decoder alerts using the thresholding
functionality:

(snort_decoder) WARNING: Bad Token Ring MR Header!
(snort_decoder) WARNING: Bad Token Ring ETHLLC Header!
(snort_decoder) WARNING: Bad Token Ring MRLENHeader!

My threshold.conf file look like this:

suppress gen_id 116, sig_id 141
suppress gen_id 116, sig_id 142
suppress gen_id 116, sig_id 143

I have 'include threshold.conf' in my snort.conf. 
When I load snort, not in daemon mode, I see the rules
load, but the events still get logged to my database. 
The only way I have been able to turn them off is to
set the following option in snort.conf:

config disable_decode_alerts

Can anyone tell me why suppression is not working for
me?  Is my gen_id wrong? sig_id?

TIA.


	
		
__________________________________
Do you Yahoo!?
Vote for the stars of Yahoo!'s next ad campaign!
http://advision.webevents.yahoo.com/yahoo/votelifeengine/




More information about the Snort-users mailing list