[Snort-users] Supressing alerts

Patrick Marquetecken patrick.marquetecken at ...1187...
Thu Nov 18 11:07:06 EST 2004


On Thu, 18 Nov 2004 12:16:04 +0530
"Senthil Prabu.S" <prabu333 at ...8908...> wrote:

> >
> > I got a lot of SCAN Proxy Port 8080 attempt [sid 620] alerts, but they 
> > come all from my subnet (10.35.x.x) to (10.32.x.x).
> > what is the best way to "hide" this ?
> > My var_home contains 10.32.0.0/24,10.35.0.0/24
> >
> > I was thinking of using the Threshold.conf file like:
> > suppress gen_id X, sig_id 620, track by_src ip 10.35.0.0/24
> > if this is a good idee, but where do i find the gen_id ?
> >
> Hi,
>   I think you  are using older version of snort rules.Because these kinds of 
> noisy rules
> have been moved to the deleted.rules file in snort -2.2.0.So update ur snort 
> rules
> reguilarily to get rid of these noisy and unnecessary alerts.
> 
> Use latest version of snort and its rules.
> 
> 
> 
> HTH,
> --
> Senthil Prabu.S 
> 
> 
Indeed I updated my test machine, but forgot the production machine.

Patrick

> 
> 
> -------------------------------------------------------
> This SF.Net email is sponsored by: InterSystems CACHE
> FREE OODBMS DOWNLOAD - A multidimensional database that combines
> robust object and relational technologies, making it a perfect match
> for Java, C++,COM, XML, ODBC and JDBC. www.intersystems.com/match8
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 
> 




More information about the Snort-users mailing list