[Snort-users] Cannot suppress events from a security scanner

Joel Esler joel.esler at ...1935...
Thu Apr 5 11:04:55 EDT 2007


Are you just trying to ignore traffic to/from this host totally?

Why don't you use a bpf filter at Snort's command line, or even write pass rules?

joel


On Thu, Apr 05, 2007 at 04:54:56PM +0200, it looks like trashboy at ...953... sent me:
> Hi all,
> 
> I would like to exclude from snort processing rules a security scanner. To do
> so, I've completed as follow the threshold.conf file:
> 
> suppress gen_id 1, sig_id 1-9999, track by_src, ip 192.168.1.250
> suppress gen_id 1, sig_id 1-9999, track by_dst, ip 192.168.1.250
> 
> Unfortunately, it doesn't works. Snort goes on processing traffic from this IP
> address. I've done another test specifying just one sig_id and in this case it
> works. Anyone can help me solve this issue ?
> 
> Thanks,
> 
> -------------------------------------------------------------------------
> Take Surveys. Earn Cash. Influence the Future of IT
> Join SourceForge.net's Techsay panel and you'll get the chance to share your
> opinions on IT & business topics through brief surveys-and earn cash
> http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 



+---------------------------------------------------------------------+
Joel Esler                                          Security Consultant
         gpg key: http://demo.sourcefire.com/jesler.pgp.key
+---------------------------------------------------------------------+




More information about the Snort-users mailing list