[Snort-users] Supressing alerts.

Matt Kettler mkettler at ...4108...
Mon Feb 28 10:23:52 EST 2005

At 09:14 AM 2/28/2005, chubeshoi at ...12935... wrote:

>Are generating too many alerts.  I have attempted to suppress these alerts 
>in my snort.conf file like the following:
>suppress gen_id 1, sig_id 27:
>suppress gen_id 1, sig_id 19:
>suppress gen_id 1, sig_id 4:
>But those alerts keep on flooding my SQL database.  Am I using the correct 
>signature ID numbers?  I don't know what else to try.

Well, you are close, but you wrong gen_id's.. generator 1 is the rules, and 
no preprocessor generated alerts will match.

[snort] (portscan) Open Port   unclassified
[snort] (portscan) UDP Portsweep   unclassified

sfportscan is generator 122 so you need to suppress gen_id 122 with sig_id 
27 and 19.

[snort] (http_inspect) BARE BYTE UNICODE ENCODING

http_inspect is generator 119 so you need to suppress gen_id 119 sig_id 4

Try these instead:

suppress gen_id 122, sig_id 27:
suppress gen_id 122, sig_id 19:
suppress gen_id 119, sig_id 4:

More information about the Snort-users mailing list