[Snort-users] alert suppression

Jefferson, Shawn Shawn.Jefferson at ...14448...
Tue May 5 18:25:38 EDT 2009


Hi,

I want to suppress some alerts I've been getting, specifically the tag: tagged packet.  I've tried putting "suppress gen_id 2, sig_id 1" in the threshold.conf file, but this doesn't seem to be working.  Is there a better way to suppress this alert?  Especially if there is a method that is better performance-wise.  I've looked around in the documentation and didn't see anything specific to the tag: tagged packet alert.

Also, the new dcerpc2 preprocesser is pretty noisy in my environment, creating quite a few alerts each day.  Can anyone share any tuning advice for this?

Thanks,
Shawn

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20090505/7c2656ad/attachment.html>


More information about the Snort-users mailing list