[Snort-users] Is this right one?

Peter Rodger prodger2008 at ...131...
Tue Oct 25 09:47:48 EDT 2005


Bruce,

Thanks for your help as always.  Currently, I did the
same thing and comment out portscan in the snort.conf.
I do not know what's the downside about this?

I am getting too much inerest in snort and try to
learn as a baby.  Please forgive my newbabie
questions.

Thank you,

Peter



--- "Briggs, Bruce" <Bruce.Briggs at ...13183...> wrote:

> suppress gen_id 119, sig_id 4   works for me.
> 
> I don't run portscan, so I've not tried suppress on
> those alerts.
> 
> Bruce
> 
> 
> -----Original Message-----
> From: Peter Rodger [mailto:prodger2008 at ...131...] 
> Sent: Tuesday, October 25, 2005 12:07 PM
> To: Briggs, Bruce; Eric Maheo; s
> Subject: RE: [Snort-users] Is this right one?
> 
> Hi,
> 
> Thanks for your help and it works (only monitoring
> exchange servers' traffic) .
> 
> I still could not figure out why this one does not
> work as posted before:
> snort] (portscan) Open Port unclassified
> [snort] (portscan) UDP Portsweep unclassified
> [snort] (http_inspect) BARE BYTE UNICODE ENCODING
> 
> I have attempted to suppress these alerts in my
> snort.conf file like the following:
> suppress gen_id 122, sig_id 27
> suppress gen_id 122, sig_id 19
> suppress gen_id 119, sig_id 4
> 
> Could it be too much traffic that overkill the snort
> box and can not process suppress as indicated
> above?? 
> Currently, the snort box is palced inside firewall
> and
> I span the PIX port to the snort monitoring port.  
> 
> Please give me some suggestions and hints.  Should I
> buy taps?
> 
> Thanks as always,
> 
> Peter
> 
> 
> --- "Briggs, Bruce" <Bruce.Briggs at ...13183...> wrote:
> 
> > The format should be:
> > suppress gen_id 1, sig_id 1070
> > 
> > Make sure that you have an uncommented   include
> on
> > snort.conf  for
> > threshold.conf.
> > 
> > Also you could comment out  sid_id 1070 in
> > web-misc.rules
> > 
> > Many use oinkmaster to automatically update new
> > Snort sigs and keep mods
> > to their Snort rules.
> > 
> > Bruce
> > 
> > -----Original Message-----
> > From: snort-users-admin at lists.sourceforge.net
> > [mailto:snort-users-admin at lists.sourceforge.net]
> On
> > Behalf Of Peter
> > Rodger
> > Sent: Tuesday, October 25, 2005 10:35 AM
> > To: s
> > Subject: [Snort-users] Is this right one?
> > 
> > Hi all,
> > I try to suppress this one event .  
> > WEB-MISC WebDAV search access
> > I added suppress sid_id 1070 in the
> threshold.conf.
> > Is this right?
> > 
> > Thanks,
> > 
> > Peter
> > 
> > 
> > 
> > 		
> > __________________________________ 
> > Yahoo! FareChase: Search multiple travel sites in
> > one click.
> > http://farechase.yahoo.com
> > 
> > 
> >
>
-------------------------------------------------------
> > This SF.Net email is sponsored by the JBoss Inc.
> > Get Certified Today * Register for a JBoss
> Training
> > Course
> > Free Certification Exam for All Training Attendees
> > Through End of 2005
> > Visit http://www.jboss.com/services/certification
> > for more information
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> > Go to this URL to change user options or
> > unsubscribe:
> >
>
https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> >
>
http://www.geocrawler.com/redir-sf.php3?list=snort-users
> > 
> 
> 
> 
> 
> 	
> 		
> __________________________________ 
> Yahoo! Mail - PC Magazine Editors' Choice 2005 
> http://mail.yahoo.com
> 
> 
>
-------------------------------------------------------
> This SF.Net email is sponsored by the JBoss Inc.
> Get Certified Today * Register for a JBoss Training
> Course
> Free Certification Exam for All Training Attendees
> Through End of 2005
> Visit http://www.jboss.com/services/certification
> for more information
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or
> unsubscribe:
>
https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
>
http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 




		
__________________________________ 
Yahoo! FareChase: Search multiple travel sites in one click.
http://farechase.yahoo.com




More information about the Snort-users mailing list