[Snort-users] alert suppression
Shawn.Jefferson at ...14448...
Tue May 5 18:25:38 EDT 2009
I want to suppress some alerts I've been getting, specifically the tag: tagged packet. I've tried putting "suppress gen_id 2, sig_id 1" in the threshold.conf file, but this doesn't seem to be working. Is there a better way to suppress this alert? Especially if there is a method that is better performance-wise. I've looked around in the documentation and didn't see anything specific to the tag: tagged packet alert.
Also, the new dcerpc2 preprocesser is pretty noisy in my environment, creating quite a few alerts each day. Can anyone share any tuning advice for this?
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-users