[Snort-users] rules vs. suppress

Jeremy Hewlett jh at ...1935...
Wed Mar 30 13:49:53 EST 2005


Sorry for the delayed response. [insert standard excuse here] ;)

On Thu, Mar 24, Lee Clemens wrote:
> That all makes sense, but a serious caveat...what suppress statement
> wouldn't cause the rule to be pointless? (alert any any <> 10/8 any)

After having a better look at what you're trying to do, Marc Norton
and I both agree.  Making a broad suppression generalization does
nullify your rule statement - you do shutdown quite a bit of alerting
this way. Suppression is too specific for what you want.

> Am I overlooking a simple solution for this? 

Your original 21 rules were better for what you're trying to do.  I'd
be happy to poke at your config with you. Send it to me off list if
you want.




More information about the Snort-users mailing list