[Snort-users] Thresholding and suppression

Lance Boon lboon at ...11799...
Thu Oct 14 14:38:00 EDT 2004


I've run into something strange when using the threshold.conf file, if I
try to:

suppress gen_id 1, sig_id 716, track by_src, ip x.x.x.x

all alerts that are generated for telnet access to that specific ip
address are suppressed as expected, but if I try to telnet to a jet
direct box I would think that alerts should be generated for that sig as
the ip addressis different but I don't see any alerts generated...
Everything else is working correctly I'm using snort 2.2/latest
ruleset/barnyard 0.2.0. I've got my home net set to x.x.x.x/20 and var
EXTERNAL_NET !$HOME_NET with an ip in the var TELNET_SERVERS [x.x.x.x]
Am I just missing something?
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3739 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20041014/ed055476/attachment.bin>


More information about the Snort-users mailing list