[Snort-users] Thresholding and suppression

sekure sekure at ...11827...
Fri Oct 15 05:35:09 EDT 2004


That rule actually gets triggered upon seeing a specific response from
a Telnet server.  Your jet direct box may not be using a standard
telnet server, so it doesn't respond in a way that the rule is
expecting.


On Thu, 14 Oct 2004 16:37:07 -0500, Lance Boon
<lboon at ...11799...> wrote:
> I've run into something strange when using the threshold.conf file, if I
> try to:
> 
> suppress gen_id 1, sig_id 716, track by_src, ip x.x.x.x
> 
> all alerts that are generated for telnet access to that specific ip
> address are suppressed as expected, but if I try to telnet to a jet
> direct box I would think that alerts should be generated for that sig as
> the ip addressis different but I don't see any alerts generated...
> Everything else is working correctly I'm using snort 2.2/latest
> ruleset/barnyard 0.2.0. I've got my home net set to x.x.x.x/20 and var
> EXTERNAL_NET !$HOME_NET with an ip in the var TELNET_SERVERS [x.x.x.x]
> Am I just missing something?
> 
> 
>




More information about the Snort-users mailing list