Fwd: Re: [Snort-users] Suppress alerts

João Mota joao at ...13547...
Wed Oct 19 02:14:00 EDT 2005

Peter Rodger wrote:

>Thanks for your reply.  The attached is the output
>after I ran snort -c snort.conf.
>Please let me know anything wrong with that.
Well... the thresholding info isn't there. I've noticed that this part 
of the output is sent to stderr instead of stdout. Don't know how you 
can redirect this on windows.
Anyway, even if you don't have any thresholding configured you should 
get something like:

Running in IDS mode

Initializing Network Interface eth0

        --== Initializing Snort ==--
Initializing Output Plugins!
Decoding Ethernet on interface eth0
Initializing Preprocessors!
Initializing Plug-ins!
Parsing Rules file snort.conf

Initializing rule chains...
2 Snort rules read...
2 Option Chains linked into 1 Chain Headers
0 Dynamic rules
| memory-cap : 1048576 bytes
| none
| none
| none
Rule application order: ->activation->dynamic->alert->pass->log
Log directory = /var/log/snort

        --== Initialization Complete ==--

Instead of having to check the logs for the supression you can verify 
your configuration on the [suppresion] part. If it displays like this 
example (none) it means that the other repliers were right and probably 
your not pointing to the right threshold.conf file. If there is some 
thresholding info (besides 'none') you should post it here along with (I 
know you've already posted several times) the desired behaviour.

Good luck ;)

More information about the Snort-users mailing list