[Snort-users] Supressing alerts
patrick.marquetecken at ...1187...
Thu Nov 18 11:07:06 EST 2004
On Thu, 18 Nov 2004 12:16:04 +0530
"Senthil Prabu.S" <prabu333 at ...8908...> wrote:
> > I got a lot of SCAN Proxy Port 8080 attempt [sid 620] alerts, but they
> > come all from my subnet (10.35.x.x) to (10.32.x.x).
> > what is the best way to "hide" this ?
> > My var_home contains 10.32.0.0/24,10.35.0.0/24
> > I was thinking of using the Threshold.conf file like:
> > suppress gen_id X, sig_id 620, track by_src ip 10.35.0.0/24
> > if this is a good idee, but where do i find the gen_id ?
> I think you are using older version of snort rules.Because these kinds of
> noisy rules
> have been moved to the deleted.rules file in snort -2.2.0.So update ur snort
> reguilarily to get rid of these noisy and unnecessary alerts.
> Use latest version of snort and its rules.
> Senthil Prabu.S
Indeed I updated my test machine, but forgot the production machine.
> This SF.Net email is sponsored by: InterSystems CACHE
> FREE OODBMS DOWNLOAD - A multidimensional database that combines
> robust object and relational technologies, making it a perfect match
> for Java, C++,COM, XML, ODBC and JDBC. www.intersystems.com/match8
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> Snort-users list archive:
More information about the Snort-users