[Snort-users] Suppress alerts

Peter Rodger prodger2008 at ...131...
Tue Oct 18 08:22:58 EDT 2005


Hi Joel,

Here is the info:

I am running Snort on windows .   I'm
using IIS6, MSSQL, PHP, and BASE on windows2003.

Currently,
[snort] (portscan) Open Port 
[snort] (portscan) UDP Portsweep 
[snort] (http_inspect) BARE BYTE UNICODE ENCODING

Are generating too many alerts. I have attempted to
suppress these alerts in my threshold.conf file like
the following:
suppress gen_id 122, sig_id 27
suppress gen_id 122, sig_id 19
suppress gen_id 119, sig_id 4

But those alerts are still generating a lot as before.
The threshold.conf file
is in /snort/etc directory following the instruction
in snort.conf file. (the file in the /etc and /rules
folder) Even I changed threshold.conf in the \rules
directory, the result is still same.

Please see the attached snort.conf and threshold.conf
files in the \snort\etc folder.

I did change threshold.conf in both /etc and /rules
folders and include d:\win-ds\snort\etc\threshold.conf
in the snort.conf file.
Still can not surppess these alerts?

In snort.conf file, I do have this include line
include d:\win-ids\snort\etc\threshold.conf

In threshold.conf, I have 
suppress gen_id 122, sig_id 27
suppress gen_id 122, sig_id 19
suppress gen_id 119, sig_id 4

I do not know why these alerts can not be surppressed?

Thanks for your help,

Peter




--- Joel Esler <joel.esler at ...1935...> wrote:

> We need a bit more info that what you've provided.
> 
> Joel
> 
> 
> On Oct 18, 2005, at 10:53 AM, Peter Rodger wrote:
> 
> > Hi all,
> >
> > Can anyone point out what's wrong with my config? 
> The
> > alerts are still not suppressed.
> >
> > I am just too overwhelmed with this.
> >
> > Any help will be greatly appreciated.
> >
> > Thanks,
> >
> > Peter
> >
> > Note: forwarded message attached.
> >
> >
> >
> >
> > __________________________________
> > 

__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: snort.conf
Type: application/octet-stream
Size: 27804 bytes
Desc: 2440593508-snort.conf
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20051018/ca057c1e/attachment.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: threshold.conf
Type: application/octet-stream
Size: 2473 bytes
Desc: 1965301261-threshold.conf
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20051018/ca057c1e/attachment-0001.obj>


More information about the Snort-users mailing list