[Snort-users] SNort signature based filtering

Eric Hines eric.hines at ...8860...
Mon Feb 6 06:26:06 EST 2006


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Mac:

Yes, its possible. Using the threshold.conf file, you can set up
suppression for particular SIDs coming from or going to particular SRC
or DST IP addresses respectively or ALL events matching a particular SID.

See etc/threshold.conf file for more details.

- ---------- etc/threshold.conf ---------
#  Suppress this event completely
#
# suppress gen_id 1, sig_id 1852
#
#  Suppress this event from this IP
#
# suppress gen_id 1, sig_id 1852, track by_src, ip 10.1.1.54
#
#  Suppress this event to this CIDR block
#
# suppress gen_id 1, sig_id 1852, track by_dst, ip 10.1.1.0/24




Best Regards,

Eric Hines, GCIA, CISSP
CEO, President
Applied Watch Technologies, LLC


- ---------------------------------------------

Eric Hines, GCIA, CISSP
CEO, President
Applied Watch Technologies, LLC
1095 Pingree Road
Suite 213
Crystal Lake, IL 60014
Toll Free: (877) 262-7593 ext:327
Direct: (847) 854-2725 ext:327
Fax: (847) 854-5106
Web: http://www.appliedwatch.com
Email: eric.hines at ...8860...

- --------------------------------------------

"Enterprise Open Source Security Management"


mac subbu wrote:
> Hi,
> Is it possible to filter out SID from a particular source in snort ???
> And if possible how can we achieve that
> 
> Thanks and regards
> 
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFD51ymbOqF2QHgUK0RAlfzAKCxGPu6aSPI3Yy4TSE1o3NZV195+gCgnPvX
3VIq6b34gimoxvG4oNA3mXY=
=mZmX
-----END PGP SIGNATURE-----




More information about the Snort-users mailing list