[Snort-users] SNort signature based filtering
andreaso at ...236...
Mon Feb 6 06:59:03 EST 2006
On Monday 06 February 2006 15:26, Eric Hines wrote:
> Yes, its possible. Using the threshold.conf file, you can set up
> suppression for particular SIDs coming from or going to particular
> SRC or DST IP addresses respectively or ALL events matching a
> particular SID.
If you want to disable alerts for a rule regardless of the src and dst
address, it's a waste of valuable resources to use suppression.
Here is a related document I wrote a couple of years ago that some
people might find useful (it's not anything Oinkmaster-specific):
More information about the Snort-users