[Snort-users] Suppress alerts

Joel Esler joel.esler at ...1935...
Tue Oct 18 08:05:09 EDT 2005


We need a bit more info that what you've provided.

Joel


On Oct 18, 2005, at 10:53 AM, Peter Rodger wrote:

> Hi all,
>
> Can anyone point out what's wrong with my config?  The
> alerts are still not suppressed.
>
> I am just too overwhelmed with this.
>
> Any help will be greatly appreciated.
>
> Thanks,
>
> Peter
>
> Note: forwarded message attached.
>
>
>
>
> __________________________________
> Yahoo! Music Unlimited
> Access over 1 million songs. Try it free.
> http://music.yahoo.com/unlimited/
> From: Peter Rodger <prodger2008 at ...131...>
> Date: October 17, 2005 2:35:26 PM EDT
> To: Joel Esler <joel.esler at ...1935...>
> Cc: s <snort-users at lists.sourceforge.net>
> Subject: Re: [Snort-users] Suppress alerts
>
>
> Joel,
>
> Thanks for the info and help.  The threshold.conf file
> is in /snort/etc directory following the instruction
> in snort.conf file. (the file in the /etc and /rules
> folder) Even I change threshold.conf in the \rules
> directory, the result is still same.
>
> Please see the attached snort.conf and threshold.conf
> files in the \snort\etc folder.
>
> I did change threshold.conf in both /etc and /rules
> folders and include d:\win-ds\snort\etc\threshold.conf
> in the snort.conf file.
> Still can not surppess these alerts?
>
> Let me know what's wrong with my config?  I can not
> fighure out why?
>
> Thanks again,
>
> Peter
>
>
>
> --- Joel Esler <joel.esler at ...1935...> wrote:
>
>
>> The threshold.conf is probably in your /rules
>> directory.  (The
>> directory is located in your snort.conf  Search your
>> snort.conf for
>> "threshold.conf" and you'll see the include
>> statement.
>>
>> The Generator ID and SID are located in gid-msg.map
>> and sid-msg.map.
>> Probably in your rules directory.
>>
>> Joel Esler
>> SOURCEfire
>>
>>
>> On Oct 17, 2005, at 1:06 PM, Peter Rodger wrote:
>>
>>
>>> Bruce,
>>>
>>> Thanks!  I am running Snort on windows too.   I'm
>>> using IIS6, MSSQL, PHP, and BASE on windows2003.
>>> BTW, I just found out that the threshold.conf file
>>>
>> is
>>
>>> in two plases: one is in \snort\etc folder;
>>>
>> another is
>>
>>> in \snort\rules folder.  Which one should I
>>>
>> change?
>>
>>> I changed the one in \snort\etc folder.
>>>
>>> How do you get genenator ID or SID?
>>>
>>> Thanks again,
>>>
>>> Peter
>>> --- "Briggs, Bruce" <Bruce.Briggs at ...13183...> wrote:
>>>
>>>
>>>
>>>> Yes I did see your Friday e-mail.
>>>>
>>>> I am running Snort on Windows and do not have
>>>>
>> your
>>
>>>> problem.
>>>>
>>>> Also you do not need to reboot your Snort machine
>>>> when making a config
>>>> change - just stop & restart Snort.
>>>>
>>>> What Snort version?
>>>> What other support tools are you using - such as
>>>>
>> web
>>
>>>> server & logging
>>>> database & alert viewer?
>>>> I'm using Apache, MySQL, PHP, and BASE.
>>>>
>>>> Bruce
>>>>
>>>>
>>>> -----Original Message-----
>>>> From: Peter Rodger [mailto:prodger2008 at ...131...]
>>>> Sent: Monday, October 17, 2005 11:52 AM
>>>> To: Briggs, Bruce
>>>> Subject: Fwd: RE: [Snort-users] Suppress alerts
>>>>
>>>> Bruce,
>>>>
>>>> Did you check this message I sent you last
>>>>
>> Friday?
>>
>>>>
>>>> The snort.conf is the right file I changed.
>>>>
>>>> What could go wrong with it?
>>>>
>>>> Thanks so much,
>>>>
>>>> Peter
>>>> Note: forwarded message attached.
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> __________________________________
>>>> Yahoo! Mail - PC Magazine Editors' Choice 2005
>>>> http://mail.yahoo.com
>>>>
>>>>
>>>>
>>>
>>>
>>>
>>>
>>>
>>> __________________________________
>>> Yahoo! Mail - PC Magazine Editors' Choice 2005
>>> http://mail.yahoo.com
>>>
>>>
>>>
>>>
>>
>>
> -------------------------------------------------------
>
>>> This SF.Net email is sponsored by:
>>> Power Architecture Resource Center: Free content,
>>>
>> downloads,
>>
>>> discussions,
>>> and more.
>>>
>> http://solutions.newsforge.com/ibmarch.tmpl
>>
>>> _______________________________________________
>>> Snort-users mailing list
>>> Snort-users at lists.sourceforge.net
>>> Go to this URL to change user options or
>>>
>> unsubscribe:
>>
>>>
>>>
>>
>>
> https://lists.sourceforge.net/lists/listinfo/snort-users
>
>>> Snort-users list archive:
>>>
>>>
>>
>>
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
>>>
>>>
>>>
>>
>>
>>
>>
>>
> -------------------------------------------------------
>
>> This SF.Net email is sponsored by:
>> Power Architecture Resource Center: Free content,
>> downloads, discussions,
>> and more.
>> http://solutions.newsforge.com/ibmarch.tmpl
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or
>> unsubscribe:
>>
>>
> https://lists.sourceforge.net/lists/listinfo/snort-users
>
>> Snort-users list archive:
>>
>>
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
>>
>>
>
>
>
>
>
> __________________________________
> Yahoo! Mail - PC Magazine Editors' Choice 2005
> http://mail.yahoo.com
> <snort.conf>
> <threshold.conf>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20051018/add15f87/attachment.html>


More information about the Snort-users mailing list