[Snort-users] Threshold Suppression Not Working

Alex Butcher, ISC/ISYS Alex.Butcher at ...11254...
Tue Feb 1 00:50:57 EST 2005


--On 31 January 2005 11:11 -0600 Ron Jenkins <rjenkins at ...12829...> wrote:

> I am trying to suppress the below portscan alerts due to high volumes of
> alerts:
>   * (portscan) Open Port
>   * (portscan) TCP Portscan
>   * (portscan) UDP Portscan
>   * (portscan) TCP Portsweep
>   * (portscan) UDP Portsweep
>
>
>
> I have added it to the threshold.conf file along with my other working
> alert suppressions.  Below is the format for the above:
>
> ·          suppress gen_id 122, sig_id 3
>
> ·          suppress gen_id 122, sig_id 19
>   * suppress gen_id 122, sig_id 27
>
>
>
> Thess lines are not working, so I had to disable the preprocessor within
> snort.conf.

I don't think sfportscan-generated alerts can have threshold rules applied 
in 2.3.0. I'm going to try fixing this and I'll let the list know how I get 
on.

> Ron Jenkins (MCNE, CNE6, MCP, CCNA, CCEA)

Best Regards,
Alex.
-- 
Alex Butcher: Security & Integrity, Personal Computer Systems Group
Information Systems and Computing             GPG Key ID: F9B27DC9
GPG Fingerprint: D62A DD83 A0B8 D174 49C4 2849 832D 6C72 F9B2 7DC9






More information about the Snort-users mailing list