[Snort-users] Supressing alerts.

mdpeters michael.peters at ...10939...
Mon Feb 28 10:37:23 EST 2005


These are actually placed into the snort.conf file?


----- Original Message ----- 
From: "Matt Kettler" <mkettler at ...4108...>
To: <chubeshoi at ...12935...>; <snort-users at lists.sourceforge.net>
Sent: Monday, February 28, 2005 1:21 PM
Subject: Re: [Snort-users] Supressing alerts.


> At 09:14 AM 2/28/2005, chubeshoi at ...12935... wrote:
>
>>Are generating too many alerts.  I have attempted to suppress these alerts 
>>in my snort.conf file like the following:
>>suppress gen_id 1, sig_id 27:
>>suppress gen_id 1, sig_id 19:
>>suppress gen_id 1, sig_id 4:
>>
>>But those alerts keep on flooding my SQL database.  Am I using the correct 
>>signature ID numbers?  I don't know what else to try.
>
> Well, you are close, but you wrong gen_id's.. generator 1 is the rules, 
> and no preprocessor generated alerts will match.
>
>
> [snort] (portscan) Open Port   unclassified
> [snort] (portscan) UDP Portsweep   unclassified
>
> sfportscan is generator 122 so you need to suppress gen_id 122 with sig_id 
> 27 and 19.
>
> [snort] (http_inspect) BARE BYTE UNICODE ENCODING
>
> http_inspect is generator 119 so you need to suppress gen_id 119 sig_id 4
>
> Try these instead:
>
> suppress gen_id 122, sig_id 27:
> suppress gen_id 122, sig_id 19:
> suppress gen_id 119, sig_id 4:
>
>
>
> -------------------------------------------------------
> SF email is sponsored by - The IT Product Guide
> Read honest & candid reviews on hundreds of IT Products from real users.
> Discover which products truly live up to the hype. Start reading now.
> http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 





More information about the Snort-users mailing list