[Snort-users] Suppress alerts

Peter Rodger prodger2008 at ...131...
Mon Oct 17 11:37:23 EDT 2005


Joel,

Thanks for the info and help.  The threshold.conf file
is in /snort/etc directory following the instruction
in snort.conf file. (the file in the /etc and /rules
folder) Even I change threshold.conf in the \rules
directory, the result is still same.

Please see the attached snort.conf and threshold.conf
files in the \snort\etc folder.

I did change threshold.conf in both /etc and /rules
folders and include d:\win-ds\snort\etc\threshold.conf
in the snort.conf file.
Still can not surppess these alerts?

Let me know what's wrong with my config?  I can not
fighure out why?  

Thanks again,

Peter



--- Joel Esler <joel.esler at ...1935...> wrote:

> The threshold.conf is probably in your /rules
> directory.  (The  
> directory is located in your snort.conf  Search your
> snort.conf for  
> "threshold.conf" and you'll see the include
> statement.
> 
> The Generator ID and SID are located in gid-msg.map
> and sid-msg.map.   
> Probably in your rules directory.
> 
> Joel Esler
> SOURCEfire
> 
> 
> On Oct 17, 2005, at 1:06 PM, Peter Rodger wrote:
> 
> > Bruce,
> >
> > Thanks!  I am running Snort on windows too.   I'm
> > using IIS6, MSSQL, PHP, and BASE on windows2003.
> > BTW, I just found out that the threshold.conf file
> is
> > in two plases: one is in \snort\etc folder;
> another is
> > in \snort\rules folder.  Which one should I
> change?
> > I changed the one in \snort\etc folder.
> >
> > How do you get genenator ID or SID?
> >
> > Thanks again,
> >
> > Peter
> > --- "Briggs, Bruce" <Bruce.Briggs at ...13183...> wrote:
> >
> >
> >> Yes I did see your Friday e-mail.
> >>
> >> I am running Snort on Windows and do not have
> your
> >> problem.
> >>
> >> Also you do not need to reboot your Snort machine
> >> when making a config
> >> change - just stop & restart Snort.
> >>
> >> What Snort version?
> >> What other support tools are you using - such as
> web
> >> server & logging
> >> database & alert viewer?
> >> I'm using Apache, MySQL, PHP, and BASE.
> >>
> >> Bruce
> >>
> >>
> >> -----Original Message-----
> >> From: Peter Rodger [mailto:prodger2008 at ...131...]
> >> Sent: Monday, October 17, 2005 11:52 AM
> >> To: Briggs, Bruce
> >> Subject: Fwd: RE: [Snort-users] Suppress alerts
> >>
> >> Bruce,
> >>
> >> Did you check this message I sent you last
> Friday?
> >>
> >> The snort.conf is the right file I changed.
> >>
> >> What could go wrong with it?
> >>
> >> Thanks so much,
> >>
> >> Peter
> >> Note: forwarded message attached.
> >>
> >>
> >>
> >>
> >>
> >> __________________________________
> >> Yahoo! Mail - PC Magazine Editors' Choice 2005
> >> http://mail.yahoo.com
> >>
> >>
> >
> >
> >
> >
> >
> > __________________________________
> > Yahoo! Mail - PC Magazine Editors' Choice 2005
> > http://mail.yahoo.com
> >
> >
> >
>
-------------------------------------------------------
> > This SF.Net email is sponsored by:
> > Power Architecture Resource Center: Free content,
> downloads,  
> > discussions,
> > and more.
> http://solutions.newsforge.com/ibmarch.tmpl
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> > Go to this URL to change user options or
> unsubscribe:
> >
>
https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> >
>
http://www.geocrawler.com/redir-sf.php3?list=snort-users
> >
> >
> 
> 
> 
>
-------------------------------------------------------
> This SF.Net email is sponsored by:
> Power Architecture Resource Center: Free content,
> downloads, discussions,
> and more.
> http://solutions.newsforge.com/ibmarch.tmpl
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or
> unsubscribe:
>
https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
>
http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 



	
		
__________________________________ 
Yahoo! Mail - PC Magazine Editors' Choice 2005 
http://mail.yahoo.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: snort.conf
Type: application/octet-stream
Size: 27804 bytes
Desc: 2440593508-snort.conf
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20051017/5b6af0f5/attachment.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: threshold.conf
Type: application/octet-stream
Size: 2473 bytes
Desc: 1965301261-threshold.conf
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20051017/5b6af0f5/attachment-0001.obj>


More information about the Snort-users mailing list