Fwd: Re: [Snort-users] Suppress alerts

João Mota joao at ...13547...
Thu Oct 20 07:46:23 EDT 2005


Peter Rodger wrote:

>+-----------------------[suppression]------------------------------------------
>| gen-id=119    sig-id=4         
>tracking=dstip=0.0.0.0           mask=0.0.0.0
>
>| gen-id=122    sig-id=27        
>tracking=dstip=0.0.0.0           mask=0.0.0.0
>
>| gen-id=122    sig-id=19        
>tracking=dstip=0.0.0.0           mask=0.0.0.0
>
>*****************
>
>It looked like it reads the threshold.conf...
>  
>
Yes it is.

>Any help will be appreciated.  I am just too upset
>with that.
>  
>
Well... the gen/sid id pairs also appear to be right. My guess is that 
you are using Barnyard and reading old alert files. If you are, try 
using the bookmarking feature ( -w ). If you're not, and if you aren't 
mixing up output files I haven't got a clue. My sugestion in this later 
case is to use the linux banner command and write a big ascii-art HELP 
to the mailing list attaching all info possible:

-desired behaviour (yes again, I had to dig inside my mail trash to find 
your first message)
-snort.conf and comand line options used
-threshold.conf
-snort version
-pieces of output logs where it happens
-barnyard conf and comand line options used (if you are using it)
-all the paths to the files you are submiting

Good luck,
João

P.S. Don't reply to my address... i'm already receiving duplicate mails 
when you post to more than one mailing-list.




More information about the Snort-users mailing list