[Snort-users] PIM - Multicasts
eric.maheo at ...8860...
Tue Aug 23 10:47:02 EDT 2005
Well you have several options:
-disable the rule 2189 for your snort listening the internal network
-set a suppress for this sig and a particular ip source or destination
-set a threshold
-set the correct variables for this rule 2189
On Tue, 2005-08-23 at 12:07 -0500, Walt Rich wrote:
> I've been fairly successful in tuning snort in our environment, and
> have reduced the number of false positives dramatically. I have a
> question though: How do I disable the PIM alerts generated by Snort
> for our internal network? I constantly receive
> BAD_TRAFFIC IP Proto 103 PIM alerts. We run multicasting on our
> internal network because we use Norton Ghost to setup workstations.
> The Ghostcasting feature requires the enabling of multicasting, and we
> don't need to see these alerts.
> Parago Logo
> | Walt Rich | Sr. Network
> Engineer | Parago, Inc. |
> 972.538.7253 | walt.rich at ...12648...
Vice President of Engineering,
Applied Watch Technologies, LLC
1095 Pingree Rd.
Crystal Lake, IL 60014
Tel: (877) 262-7593 x324
Fax: (877) 262-7593
Email: eric.maheo at ...8860...
More information about the Snort-users