[Snort-users] Performance and rule tuning

Jefferson, Shawn Shawn.Jefferson at ...14448...
Thu Dec 4 13:57:33 EST 2008


I've read through the README and I still have a question.. what should the gen_id of "ftp_pp: FTP command channel encrypted" be?  125 or 1 ?

My suppress rule looks like:

suppress gen_id 125, sig_id 7


-----Original Message-----
From: Joel Esler [mailto:eslerj at ...11827...]
Sent: December 03, 2008 1:34 PM
To: Jefferson, Shawn
Cc: Snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] Performance and rule tuning

On Dec 3, 2008, at 2:57 PM, Jefferson, Shawn wrote:

> One more question about rule tuning:
> I am getting some false positives from the ftp pre-processor.  How
> do I suppress these without disabling the pre-processor altogether?

Threshold and Suppression commands.  Take a look at the
README.threshold in the doc/ directory of your Snort tarball, also
take a look at the threshold.conf file in the etc/ directory of your
Snort tarball.  You will see many examples on how to configure
Threshold and Suppression, in order to tune your system.

More information about the Snort-users mailing list