Fwd: Re: [Snort-users] Suppress alerts

Peter Rodger prodger2008 at ...131...
Wed Oct 19 06:57:42 EDT 2005


Hi,

Thanks for your help.  Sorry that I did not send whole
output to you.  Please see the attched output.txt and
there is an error stopped in log directory.  Can not
figure out why?

Still get tons of open port alerts and desperately
need your help.

Thanks again,

Peter

--- João Mota <joao at ...13547...> wrote:

> Peter Rodger wrote:
> 
> >Thanks for your reply.  The attached is the output
> >after I ran snort -c snort.conf.
> >
> >Please let me know anything wrong with that.
> >  
> >
> Well... the thresholding info isn't there. I've
> noticed that this part 
> of the output is sent to stderr instead of stdout.
> Don't know how you 
> can redirect this on windows.
> Anyway, even if you don't have any thresholding
> configured you should 
> get something like:
> 
> Running in IDS mode
> 
> Initializing Network Interface eth0
> 
>         --== Initializing Snort ==--
> Initializing Output Plugins!
> Decoding Ethernet on interface eth0
> Initializing Preprocessors!
> Initializing Plug-ins!
> Parsing Rules file snort.conf
> 
> +++++++++++++++++++++++++++++++++++++++++++++++++++
> Initializing rule chains...
> 2 Snort rules read...
> 2 Option Chains linked into 1 Chain Headers
> 0 Dynamic rules
> +++++++++++++++++++++++++++++++++++++++++++++++++++
>
+-----------------------[thresholding-config]----------------------------------
> | memory-cap : 1048576 bytes
>
+-----------------------[thresholding-global]----------------------------------
> | none
>
+-----------------------[thresholding-local]-----------------------------------
> | none
>
+-----------------------[suppression]------------------------------------------
> | none
>
+------------------------------------------------------------------------------
> Rule application order:
> ->activation->dynamic->alert->pass->log
> Log directory = /var/log/snort
> 
>         --== Initialization Complete ==--
> 
> 
> Instead of having to check the logs for the
> supression you can verify 
> your configuration on the [suppresion] part. If it
> displays like this 
> example (none) it means that the other repliers were
> right and probably 
> your not pointing to the right threshold.conf file.
> If there is some 
> thresholding info (besides 'none') you should post
> it here along with (I 
> know you've already posted several times) the
> desired behaviour.
> 
> Good luck ;)
> 
> 
> 
> 
>
-------------------------------------------------------
> This SF.Net email is sponsored by:
> Power Architecture Resource Center: Free content,
> downloads, discussions,
> and more.
> http://solutions.newsforge.com/ibmarch.tmpl
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or
> unsubscribe:
>
https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
>
http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 



		
__________________________________ 
Yahoo! Music Unlimited 
Access over 1 million songs. Try it free.
http://music.yahoo.com/unlimited/
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: output.txt
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20051019/9397b215/attachment.txt>


More information about the Snort-users mailing list