Fwd: Re: [Snort-users] Suppress alerts

Peter Rodger prodger2008 at ...131...
Wed Oct 19 07:00:07 EDT 2005


Hi,

Thanks for your help.  Sorry that I did not send whole
output to you.  Please see the attched output.txt and
there is an error stopped in log directory.  Can not
figure out why?

Frank, I did change the switch and the result is the
same as before.

Still get tons of open port alerts and desperately
need your help.

Thanks again,

Peter

--- João Mota <joao at ...13547...> wrote:

> Peter Rodger wrote:
> 
> >Thanks for your reply.  The attached is the output
> >after I ran snort -c snort.conf.
> >
> >Please let me know anything wrong with that.
> >  
> >
> Well... the thresholding info isn't there. I've
> noticed that this part 
> of the output is sent to stderr instead of stdout.
> Don't know how you 
> can redirect this on windows.
> Anyway, even if you don't have any thresholding
> configured you should 
> get something like:
> 
> Running in IDS mode
> 
> Initializing Network Interface eth0
> 
>         --== Initializing Snort ==--
> Initializing Output Plugins!
> Decoding Ethernet on interface eth0
> Initializing Preprocessors!
> Initializing Plug-ins!
> Parsing Rules file snort.conf
> 
> +++++++++++++++++++++++++++++++++++++++++++++++++++
> Initializing rule chains...
> 2 Snort rules read...
> 2 Option Chains linked into 1 Chain Headers
> 0 Dynamic rules
> +++++++++++++++++++++++++++++++++++++++++++++++++++
>
+-----------------------[thresholding-config]----------------------------------
> | memory-cap : 1048576 bytes
>
+-----------------------[thresholding-global]----------------------------------
> | none
>
+-----------------------[thresholding-local]-----------------------------------
> | none
>
+-----------------------[suppression]------------------------------------------
> | none
>
+------------------------------------------------------------------------------
> Rule application order:
> ->activation->dynamic->alert->pass->log
> Log directory = /var/log/snort
> 
>         --== Initialization Complete ==--
> 
> 
> Instead of having to check the logs for the
> supression you can verify 
> your configuration on the [suppresion] part. If it
> displays like this 
> example (none) it means that the other repliers were
> right and probably 
> your not pointing to the right threshold.conf file.
> If there is some 
> thresholding info (besides 'none') you should post
> it here along with (I 
> know you've already posted several times) the
> desired behaviour.
> 
> Good luck ;)
> 
> 
> 
> 
>
-------------------------------------------------------
> This SF.Net email is sponsored by:
> Power Architecture Resource Center: Free content,
> downloads, discussions,
> and more.
> http://solutions.newsforge.com/ibmarch.tmpl
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or
> unsubscribe:
>
https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
>
http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 



	
		
__________________________________ 
Yahoo! Mail - PC Magazine Editors' Choice 2005 
http://mail.yahoo.com


	
		
__________________________________ 
Yahoo! Mail - PC Magazine Editors' Choice 2005 
http://mail.yahoo.com


	
		
__________________________________ 
Yahoo! Mail - PC Magazine Editors' Choice 2005 
http://mail.yahoo.com
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: output.txt
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20051019/05d6b4b5/attachment.txt>


More information about the Snort-users mailing list