Fwd: Re: [Snort-users] Suppress alerts

João Mota joao at ...13547...
Thu Oct 20 07:46:23 EDT 2005

Peter Rodger wrote:

>| gen-id=119    sig-id=4         
>tracking=dstip=           mask=
>| gen-id=122    sig-id=27        
>tracking=dstip=           mask=
>| gen-id=122    sig-id=19        
>tracking=dstip=           mask=
>It looked like it reads the threshold.conf...
Yes it is.

>Any help will be appreciated.  I am just too upset
>with that.
Well... the gen/sid id pairs also appear to be right. My guess is that 
you are using Barnyard and reading old alert files. If you are, try 
using the bookmarking feature ( -w ). If you're not, and if you aren't 
mixing up output files I haven't got a clue. My sugestion in this later 
case is to use the linux banner command and write a big ascii-art HELP 
to the mailing list attaching all info possible:

-desired behaviour (yes again, I had to dig inside my mail trash to find 
your first message)
-snort.conf and comand line options used
-snort version
-pieces of output logs where it happens
-barnyard conf and comand line options used (if you are using it)
-all the paths to the files you are submiting

Good luck,

P.S. Don't reply to my address... i'm already receiving duplicate mails 
when you post to more than one mailing-list.

More information about the Snort-users mailing list