[Snort-users] Alert Suppresion Fail

Joel Esler joel.esler at ...1935...
Thu May 18 15:49:01 EDT 2006


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

There is no sid of 16.  What alert are you trying to suppress?  Are  
you trying to suppress "http_inspect: OVERSIZE CHUNK ENCODING"?

That would be gen_id 119, sig_id 16.

Check out your gen-msg.map and sid-msg.map in your etc/ directory in  
Snort.

Joel


On May 18, 2006, at 6:07 PM, kritikus Araklidas wrote:

> Hi everyone:
>
> I have installed the snort 2.4.4 and after some week monitoring my  
> network i'm still working on threads suppresion, so, some of them  
> work fine but, some of then doesn't work like the following:
>
> GEN:SID  1:16
>
> Message  Sorry, no such sid-gen (1:16)
>
> I configure on threshold.conf file the supression rule like:
>
> suppress gen_id 1, sig_id 16, track by_src, ip X.X.X.0/24
>
> But the suppresion doesn't work, the same thing happend with the  
> GEN:SID with no information on snort database.
>
> Any idea is appreciated.
>
> Regards.
>
> Chris.
>
> _________________________________________________________________
> Is your PC infected? Get a FREE online computer virus scan from  
> McAfee® Security. http://clinic.mcafee.com/clinic/ibuy/campaign.asp? 
> cid=3963
>
>
>
> -------------------------------------------------------
> Using Tomcat but need to do more? Need to support web services,  
> security?
> Get stuff done quickly with pre-integrated technology to make your  
> job easier
> Download IBM WebSphere Application Server v.1.0.1 based on Apache  
> Geronimo
> http://sel.as-us.falkag.net/sel? 
> cmd=lnk&kid=120709&bid=263057&dat=121642
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>

- --Joel
joel.esler at ...1935...
http://demo.sourcefire.com/jesler.pgp.key





-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (Darwin)

iD8DBQFEbPmiKbCSyXHckt4RAnYIAKCdPVrSobsBOHQ/mh1iznxLcxIhmACggvxC
bNoOGfRO7UKz4EfNIyqRlUI=
=yWzA
-----END PGP SIGNATURE-----




More information about the Snort-users mailing list