[Snort-users] Supressing alerts.
mkettler at ...4108...
Mon Feb 28 10:23:52 EST 2005
At 09:14 AM 2/28/2005, chubeshoi at ...12935... wrote:
>Are generating too many alerts. I have attempted to suppress these alerts
>in my snort.conf file like the following:
>suppress gen_id 1, sig_id 27:
>suppress gen_id 1, sig_id 19:
>suppress gen_id 1, sig_id 4:
>But those alerts keep on flooding my SQL database. Am I using the correct
>signature ID numbers? I don't know what else to try.
Well, you are close, but you wrong gen_id's.. generator 1 is the rules, and
no preprocessor generated alerts will match.
[snort] (portscan) Open Port unclassified
[snort] (portscan) UDP Portsweep unclassified
sfportscan is generator 122 so you need to suppress gen_id 122 with sig_id
27 and 19.
[snort] (http_inspect) BARE BYTE UNICODE ENCODING
http_inspect is generator 119 so you need to suppress gen_id 119 sig_id 4
Try these instead:
suppress gen_id 122, sig_id 27:
suppress gen_id 122, sig_id 19:
suppress gen_id 119, sig_id 4:
More information about the Snort-users