[Snort-users] Supressing alerts.

chubeshoi at ...12935... chubeshoi at ...12935...
Mon Feb 28 06:15:44 EST 2005


Hi all.

Was wondering if you could help me suppress some alerts on my new snort 
box.  Currently
[snort] (portscan) Open Port   unclassified
[snort] (portscan) UDP Portsweep   unclassified
[snort] (http_inspect) BARE BYTE UNICODE ENCODING

Are generating too many alerts.  I have attempted to suppress these 
alerts in my snort.conf file like the following:
suppress gen_id 1, sig_id 27:
suppress gen_id 1, sig_id 19:
suppress gen_id 1, sig_id 4:

But those alerts keep on flooding my SQL database.  Am I using the 
correct signature ID numbers?  I don't know what else to try.

Thanks.





More information about the Snort-users mailing list