[Snort-users] SNort signature based filtering

Andreas Östling andreaso at ...236...
Mon Feb 6 06:59:03 EST 2006


On Monday 06 February 2006 15:26, Eric Hines wrote:
> Yes, its possible. Using the threshold.conf file, you can set up
> suppression for particular SIDs coming from or going to particular
> SRC or DST IP addresses respectively or ALL events matching a
> particular SID.

If you want to disable alerts for a rule regardless of the src and dst 
address, it's a waste of valuable resources to use suppression.
Here is a related document I wrote a couple of years ago that some 
people might find useful (it's not anything Oinkmaster-specific):

http://oinkmaster.sourceforge.net/avoiding_snort_alerts.txt

/Andreas




More information about the Snort-users mailing list