[Snort-users] alert suppression

Joel Esler jesler at ...1935...
Tue May 5 19:39:22 EDT 2009


What alert is generating the tag alerts?  Is it a rule, or is it the stream
preprocessor?  (grep your rules files for the word "Tag".  I think there is
only 1 rule in the VRT ruleset with tag turned on by default.
As for the dcerpc2 preprocessor, take a look at the readme.  It has an
"events none" configuration option for your snort.conf.

J

On Tue, May 5, 2009 at 6:25 PM, Jefferson, Shawn <
Shawn.Jefferson at ...14448...> wrote:

>  Hi,
>
> I want to suppress some alerts I’ve been getting, specifically the tag:
> tagged packet.  I’ve tried putting “suppress gen_id 2, sig_id 1” in the
> threshold.conf file, but this doesn’t seem to be working.  Is there a better
> way to suppress this alert?  Especially if there is a method that is better
> performance-wise.  I’ve looked around in the documentation and didn’t see
> anything specific to the tag: tagged packet alert.
>
> Also, the new dcerpc2 preprocesser is pretty noisy in my environment,
> creating quite a few alerts each day.  Can anyone share any tuning advice
> for this?
>
> Thanks,
> Shawn
>
>
>
> ------------------------------------------------------------------------------
> The NEW KODAK i700 Series Scanners deliver under ANY circumstances! Your
> production scanning environment may not be a perfect world - but thanks to
> Kodak, there's a perfect scanner to get the job done! With the NEW KODAK
> i700
> Series Scanner you'll get full speed at 300 dpi even with all image
> processing features enabled. http://p.sf.net/sfu/kodak-com
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>



-- 
joel esler | Sourcefire | gtalk: jesler at ...1935... | 302-223-5974 |
http://twitter.com/joelesler
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20090505/e074e24c/attachment.html>


More information about the Snort-users mailing list