[Snort-users] Performance and rule tuning

Joel Esler eslerj at ...11827...
Thu Dec 4 14:11:15 EST 2008


On Dec 4, 2008, at 1:57 PM, Jefferson, Shawn wrote:

> Hi,
>
> I've read through the README and I still have a question.. what  
> should the gen_id of "ftp_pp: FTP command channel encrypted" be?   
> 125 or 1 ?
>
> My suppress rule looks like:
>
> suppress gen_id 125, sig_id 7
>

It's 125, 7.  But for future reference, these numbers are located in  
your gen-msg.map in the etc/ directory of the tarball.

Joel




More information about the Snort-users mailing list